[PATCH v2] base: dd: fix error return code of driver_sysfs_add()
When device_create_file() fails and returns a non-zero value, no error return code of driver_sysfs_add() is assigned. To fix this bug, ret is assigned with the return value of device_create_file(), and then ret is checked. Reported-by: TOTE Robot Signed-off-by: Jia-Ju Bai --- v2: * Fix a redundant whitespace. Thank Greg for good advice. --- drivers/base/dd.c | 7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/base/dd.c b/drivers/base/dd.c index 9179825ff646..704ae8a90a00 100644 --- a/drivers/base/dd.c +++ b/drivers/base/dd.c @@ -413,8 +413,11 @@ static int driver_sysfs_add(struct device *dev) if (ret) goto rm_dev; - if (!IS_ENABLED(CONFIG_DEV_COREDUMP) || !dev->driver->coredump || - !device_create_file(dev, _attr_coredump)) + if (!IS_ENABLED(CONFIG_DEV_COREDUMP) || !dev->driver->coredump) + return 0; + + ret = device_create_file(dev, _attr_coredump); + if (!ret) return 0; sysfs_remove_link(>kobj, "driver"); -- 2.17.1
Re: [PATCH] base: dd: fix error return code of driver_sysfs_add()
On 2021/3/23 21:57, Greg KH wrote: On Fri, Mar 05, 2021 at 02:24:05AM -0800, Jia-Ju Bai wrote: When device_create_file() fails and returns a non-zero value, no error return code of driver_sysfs_add() is assigned. To fix this bug, ret is assigned with the return value of device_create_file(), and then ret is checked. Reported-by: TOTE Robot Signed-off-by: Jia-Ju Bai --- drivers/base/dd.c | 7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/base/dd.c b/drivers/base/dd.c index 9179825ff646..f94bbef95258 100644 --- a/drivers/base/dd.c +++ b/drivers/base/dd.c @@ -413,8 +413,11 @@ static int driver_sysfs_add(struct device *dev) if (ret) goto rm_dev; - if (!IS_ENABLED(CONFIG_DEV_COREDUMP) || !dev->driver->coredump || - !device_create_file(dev, _attr_coredump)) + if (!IS_ENABLED(CONFIG_DEV_COREDUMP) || !dev->driver->coredump) + return 0; + Trailing whitespace : Ah, sorry, I will send a V2 patch. Best wishes, Jia-Ju Bai
[PATCH v2] usb: gadget: legacy: fix error return code of msg_bind()
When usb_otg_descriptor_alloc() returns NULL to usb_desc, no error
return code of msg_bind() is assigned.
To fix this bug, status is assigned with -ENOMEM in this case.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
v2:
* Fix a mistake in the report.
Thank Greg for good advice.
---
drivers/usb/gadget/legacy/mass_storage.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/gadget/legacy/mass_storage.c
b/drivers/usb/gadget/legacy/mass_storage.c
index 9ed22c5fb7fe..ac1741126619 100644
--- a/drivers/usb/gadget/legacy/mass_storage.c
+++ b/drivers/usb/gadget/legacy/mass_storage.c
@@ -175,8 +175,10 @@ static int msg_bind(struct usb_composite_dev *cdev)
struct usb_descriptor_header *usb_desc;
usb_desc = usb_otg_descriptor_alloc(cdev->gadget);
- if (!usb_desc)
+ if (!usb_desc) {
+ status = -ENOMEM;
goto fail_string_ids;
+ }
usb_otg_descriptor_init(cdev->gadget, usb_desc);
otg_desc[0] = usb_desc;
otg_desc[1] = NULL;
--
2.17.1
Re: [PATCH] usb: gadget: legacy: fix error return code of msg_bind()
On 2021/3/23 19:35, Greg KH wrote: On Sun, Mar 07, 2021 at 12:49:15AM -0800, Jia-Ju Bai wrote: When usb_otg_descriptor_alloc() returns NULL to usb_desc, no error return code of msg_bind() is assigned. To fix this bug, status is assigned with -ENOMEM in this case. Reported-by: TOTE Robot > These lines are not written correctly :( Please fix up and resend. Sorry for the mistake. I will fix it and send a V2 patch. Best wishes, Jia-Ju Bai
[PATCH v2] thermal: thermal_of: fix error return code of thermal_of_populate_bind_params()
When kcalloc() returns NULL to __tcbp or of_count_phandle_with_args()
returns zero or -ENOENT to count, no error return code of
thermal_of_populate_bind_params() is assigned.
To fix these bugs, ret is assigned with -ENOMEM and -ENOENT in these
cases, respectively.
Fixes: a92bab8919e3 ("of: thermal: Allow multiple devices to share cooling map")
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
v2:
* Add the fixing about of_count_phandle_with_args() and the fixes tag.
Thank Daniel Lezcano for good advice.
---
drivers/thermal/thermal_of.c | 7 +--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/thermal/thermal_of.c b/drivers/thermal/thermal_of.c
index 69ef12f852b7..5b76f9a1280d 100644
--- a/drivers/thermal/thermal_of.c
+++ b/drivers/thermal/thermal_of.c
@@ -704,14 +704,17 @@ static int thermal_of_populate_bind_params(struct
device_node *np,
count = of_count_phandle_with_args(np, "cooling-device",
"#cooling-cells");
- if (!count) {
+ if (count <= 0) {
pr_err("Add a cooling_device property with at least one
device\n");
+ ret = -ENOENT;
goto end;
}
__tcbp = kcalloc(count, sizeof(*__tcbp), GFP_KERNEL);
- if (!__tcbp)
+ if (!__tcbp) {
+ ret = -ENOMEM;
goto end;
+ }
for (i = 0; i < count; i++) {
ret = of_parse_phandle_with_args(np, "cooling-device",
--
2.17.1
Re: [PATCH] thermal: thermal_of: fix error return code of thermal_of_populate_bind_params()
On 2021/3/10 20:02, Daniel Lezcano wrote:
On 06/03/2021 15:11, Jia-Ju Bai wrote:
When kcalloc() fails and __tcbp is NULL, no error return code of
thermal_of_populate_bind_params() is assigned.
To fix this bug, ret is assigned with -ENOMEM in this case.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/thermal/thermal_of.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/thermal/thermal_of.c b/drivers/thermal/thermal_of.c
index 69ef12f852b7..e8c9041482e9 100644
--- a/drivers/thermal/thermal_of.c
+++ b/drivers/thermal/thermal_of.c
@@ -710,8 +710,10 @@ static int thermal_of_populate_bind_params(struct
device_node *np,
}
__tcbp = kcalloc(count, sizeof(*__tcbp), GFP_KERNEL);
- if (!__tcbp)
+ if (!__tcbp) {
+ ret = -ENOMEM;
goto end;
+ }
Thank you for your patch.
Seems like the same happens a few lines before:
count = of_count_phandle_with_args(np, "cooling-device",
"#cooling-cells");
if (!count) {
pr_err("Add a cooling_device property with at least one
device\n");
goto end;
}
Mind to send a patch fixing both ?
Thanks for the reply and advice.
I will send a new version of the patch to fix them both.
Best wishes,
Jia-Ju Bai
Re: [PATCH] net: bonding: fix error return code of bond_neigh_init()
On 2021/3/10 17:24, Roi Dayan wrote:
On 2021-03-08 5:11 AM, Jia-Ju Bai wrote:
When slave is NULL or slave_ops->ndo_neigh_setup is NULL, no error
return code of bond_neigh_init() is assigned.
To fix this bug, ret is assigned with -EINVAL in these cases.
Fixes: 9e99bfefdbce ("bonding: fix bond_neigh_init()")
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/net/bonding/bond_main.c | 8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/net/bonding/bond_main.c
b/drivers/net/bonding/bond_main.c
index 74cbbb22470b..456315bef3a8 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -3978,11 +3978,15 @@ static int bond_neigh_init(struct neighbour *n)
rcu_read_lock();
slave = bond_first_slave_rcu(bond);
- if (!slave)
+ if (!slave) {
+ ret = -EINVAL;
goto out;
+ }
slave_ops = slave->dev->netdev_ops;
- if (!slave_ops->ndo_neigh_setup)
+ if (!slave_ops->ndo_neigh_setup) {
+ ret = -EINVAL;
goto out;
+ }
/* TODO: find another way [1] to implement this.
* Passing a zeroed structure is fragile,
Hi,
This breaks basic functionally that always worked. A slave doesn't need
to exists nor to implement ndo_neigh_setup.
Now trying to add a neigh entry because of that fails.
This commit needs to be reverted.
Okay, thanks for the explanation, and I am sorry for this false report...
Best wishes,
Jia-Ju Bai
[PATCH v2] block: rsxx: fix error return code of rsxx_pci_probe()
When create_singlethread_workqueue returns NULL to card->event_wq, no
error return code of rsxx_pci_probe() is assigned.
To fix this bug, st is assigned with -ENOMEM in this case.
Fixes: 8722ff8cdbfa ("block: IBM RamSan 70/80 device driver")
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
v2:
* Drop wrong parts that make no sense.
Thank Jens Axboe for good advice.
---
drivers/block/rsxx/core.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/block/rsxx/core.c b/drivers/block/rsxx/core.c
index 63f549889f87..d7e2416112ec 100644
--- a/drivers/block/rsxx/core.c
+++ b/drivers/block/rsxx/core.c
@@ -869,6 +869,7 @@ static int rsxx_pci_probe(struct pci_dev *dev,
card->event_wq = create_singlethread_workqueue(DRIVER_NAME"_event");
if (!card->event_wq) {
dev_err(CARD_TO_DEV(card), "Failed card event setup.\n");
+ st = -ENOMEM;
goto failed_event_handler;
}
--
2.17.1
Re: [PATCH] usb: renesas_usbhs: fix error return code of usbhsf_pkt_handler()
On 2021/3/10 10:54, Yoshihiro Shimoda wrote: Hi Jia-Ju, From: Jia-Ju Bai, Sent: Tuesday, March 9, 2021 10:39 PM On 2021/3/9 19:59, Yoshihiro Shimoda wrote: Hi Jia-Ju, Thank you for the patch! From: Jia-Ju Bai, Sent: Sunday, March 7, 2021 6:01 PM When __usbhsf_pkt_get() returns NULL to pkt, no error return code of usbhsf_pkt_handler() is assigned. Yes. Also I realized that no error return code of usbhsf_pkt_handler() was assigned if the type value was unexpected value. So, I'm thinking initial value of ret should be -EINVAL instead of 0. This is okay to me. Need I write a new patch for this? Thank you for your reply. I can write such a new patch with your Reported-by for this as minor refactoring of the usbhsf_pkt_handler(). May I write such a patch? Okay, sure :) Best wishes, Jia-Ju Bai
Re: [PATCH] block: rsxx: fix error return code of rsxx_pci_probe()
On 2021/3/10 4:59, Jens Axboe wrote:
On 3/8/21 3:05 AM, Jia-Ju Bai wrote:
Some error handling segments of rsxx_pci_probe() do not return error code,
so add error code for these segments.
Fixes: 8722ff8cdbfa ("block: IBM RamSan 70/80 device driver")
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/block/rsxx/core.c | 18 +++---
1 file changed, 15 insertions(+), 3 deletions(-)
diff --git a/drivers/block/rsxx/core.c b/drivers/block/rsxx/core.c
index 63f549889f87..6b3b9b31a3e8 100644
--- a/drivers/block/rsxx/core.c
+++ b/drivers/block/rsxx/core.c
@@ -760,13 +760,17 @@ static int rsxx_pci_probe(struct pci_dev *dev,
pci_set_drvdata(dev, card);
st = ida_alloc(_disk_ida, GFP_KERNEL);
- if (st < 0)
+ if (st < 0) {
+ st = -ENOMEM;
goto failed_ida_get;
+ }
card->disk_id = st;
st = pci_enable_device(dev);
- if (st)
+ if (st) {
+ st = -EIO;
goto failed_enable;
+ }
pci_set_master(dev);
Maybe there are some valid parts to the patch, but the two above at
least make no sense - we're returning the error here as passed from
ida_alloc or pci_enable_device, why are you overriding them?
Ah, sorry for these incorrect parts...
I will send a new patch.
Best wishes,
Jia-Ju Bai
Re: [PATCH] fs: proc: fix error return code of proc_map_files_readdir()
On 2021/3/10 3:05, Alexey Dobriyan wrote:
On Tue, Mar 09, 2021 at 10:30:23AM -0800, Eric Biggers wrote:
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -2332,8 +2332,10 @@ proc_map_files_readdir(struct file *file, struct
dir_context *ctx)
goto out_put_task;
mm = get_task_mm(task);
- if (!mm)
+ if (!mm) {
+ ret = -ENOENT;
goto out_put_task;
+ }
ret = mmap_read_lock_killable(mm);
Is there something in particular that makes you think that returning ENOENT is
the correct behavior in this case? Try 'ls /proc/$pid/map_files' where pid is a
kernel thread; it's an empty directory, which is probably intentional. Your
patch would change reading the directory to fail with ENOENT.
Yes. 0 from readdir means "no more stuff", not an error.
Thanks for your reply and explanation.
I am sorry for the false report...
Best wishes,
Jia-Ju Bai
Re: [BUG] memstick: core: missing error return code in msb_resume()
On 2021/3/9 16:44, Ulf Hansson wrote: On Fri, 5 Mar 2021 at 03:45, Jia-Ju Bai wrote: My static analysis tool reports that no error return code is assigned in error handling code of msb_resume(). However, many other drivers assign error return code in xxx_resume(), such as sky2_resume() and e1000_resume(). I wonder whether this is intentional? It's for sure intentional, but it really doesn't matter that much as we are probably in rather dodgy state anyways. Of course, propagating error codes upwards in the stack is always good practise, so feel free to add it. Thanks for the reply! I will find time to add error return code in this function :) Best wishes, Jia-Ju Bai
Re: [PATCH] usb: renesas_usbhs: fix error return code of usbhsf_pkt_handler()
Thanks for the reply! On 2021/3/9 19:59, Yoshihiro Shimoda wrote: Hi Jia-Ju, Thank you for the patch! From: Jia-Ju Bai, Sent: Sunday, March 7, 2021 6:01 PM When __usbhsf_pkt_get() returns NULL to pkt, no error return code of usbhsf_pkt_handler() is assigned. Yes. Also I realized that no error return code of usbhsf_pkt_handler() was assigned if the type value was unexpected value. So, I'm thinking initial value of ret should be -EINVAL instead of 0. This is okay to me. Need I write a new patch for this? Best wishes, Jia-Ju Bai
Re: [PATCH] block: keyslot-manager: fix error return code of blk_ksm_evict_key()
On 2021/3/9 19:45, Satya Tangirala wrote:
On Tue, Mar 09, 2021 at 01:18:12AM -0800, Jia-Ju Bai wrote:
When blk_ksm_find_keyslot() returns NULL to slot, no error return code
of blk_ksm_evict_key() is assigned.
To fix this bug, err is assigned with -ENOENT in this case.
Fixes: 1b2628397058 ("block: Keyslot Manager for Inline Encryption")
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
block/keyslot-manager.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/block/keyslot-manager.c b/block/keyslot-manager.c
index 2c4a55bea6ca..4dd5da0645bc 100644
--- a/block/keyslot-manager.c
+++ b/block/keyslot-manager.c
@@ -375,8 +375,10 @@ int blk_ksm_evict_key(struct blk_keyslot_manager *ksm,
blk_ksm_hw_enter(ksm);
slot = blk_ksm_find_keyslot(ksm, key);
- if (!slot)
+ if (!slot) {
+ err = -ENOENT;
goto out_unlock;
+ }
if (WARN_ON_ONCE(atomic_read(>slot_refs) != 0)) {
err = -EBUSY;
--
2.17.1
This function was deliberately designed to return 0 on success *and also*
if there's no keyslot found with the specified key - i.e. it returns 0 if
the key is no longer programmed into the keyslot manager, which is what the
callers care about, so I don't think there's a bug here.
Thanks for the reply and explanation!
It seems like a false positive here, and I am sorry for this false report.
Best wishes,
Jia-Ju Bai
Re: [PATCH] net: bridge: fix error return code of do_update_counters()
On 2021/3/9 19:01, Florian Westphal wrote: Jia-Ju Bai wrote: When find_table_lock() returns NULL to t, no error return code of do_update_counters() is assigned. Its -ENOENT. t = find_table_lock(net, name, , _mutex); ^ ret is passed to find_table_lock, which passes it to find_inlist_lock_noload() which will set *ret = -ENOENT for NULL case. Thanks for the reply! I did not notice "" in find_table_lock()... I am sorry for the false positive. Best wishes, Jia-Ju Bai
[PATCH] fs: proc: fix error return code of proc_map_files_readdir()
When get_task_mm() returns NULL to mm, no error return code of
proc_map_files_readdir() is assigned.
To fix this bug, ret is assigned with -ENOENT in this case.
Fixes: f0c3b5093add ("[readdir] convert procfs")
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
fs/proc/base.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/fs/proc/base.c b/fs/proc/base.c
index 3851bfcdba56..254cc6ac65fb 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -2332,8 +2332,10 @@ proc_map_files_readdir(struct file *file, struct
dir_context *ctx)
goto out_put_task;
mm = get_task_mm(task);
- if (!mm)
+ if (!mm) {
+ ret = -ENOENT;
goto out_put_task;
+ }
ret = mmap_read_lock_killable(mm);
if (ret) {
--
2.17.1
[BUG] Possible bug of missing error return code in __ext4_journalled_writepage()
In __ext4_journalled_writepage(): .. inode_bh = ext4_journalled_write_inline_data(inode, len, page); if (inode_bh == NULL) goto out; .. out: unlock_page(page); out_no_pagelock: brelse(inode_bh); return ret; When inode_bh is NULL, ret is not assigned with an error code like -ENOENT. I wonder whether this is intentional? Or ret should be assigned with -ENOENT here? Best wishes, Jia-Ju Bai
[PATCH] block: keyslot-manager: fix error return code of blk_ksm_evict_key()
When blk_ksm_find_keyslot() returns NULL to slot, no error return code
of blk_ksm_evict_key() is assigned.
To fix this bug, err is assigned with -ENOENT in this case.
Fixes: 1b2628397058 ("block: Keyslot Manager for Inline Encryption")
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
block/keyslot-manager.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/block/keyslot-manager.c b/block/keyslot-manager.c
index 2c4a55bea6ca..4dd5da0645bc 100644
--- a/block/keyslot-manager.c
+++ b/block/keyslot-manager.c
@@ -375,8 +375,10 @@ int blk_ksm_evict_key(struct blk_keyslot_manager *ksm,
blk_ksm_hw_enter(ksm);
slot = blk_ksm_find_keyslot(ksm, key);
- if (!slot)
+ if (!slot) {
+ err = -ENOENT;
goto out_unlock;
+ }
if (WARN_ON_ONCE(atomic_read(>slot_refs) != 0)) {
err = -EBUSY;
--
2.17.1
Re: [PATCH] net: netlink: fix error return code of netlink_proto_init()
On 2021/3/9 16:47, Heiner Kallweit wrote: On 09.03.2021 09:33, Jia-Ju Bai wrote: When kcalloc() returns NULL to nl_table, no error return code of netlink_proto_init() is assigned. To fix this bug, err is assigned with -ENOMEM in this case. Didn't we talk enough about your incorrect patches yesterday? This one is incorrect again. panic() never returns. Stop sending patches until you understand the code you're changing! Ah, sorry, I was too confident about this bug report... Thanks for your reply. Following your advice, now I am sending the patches only for the bug reports that I am confident about after careful code review. Some of the patches have been applied, but some of them are still wrong, like this patch... I am sorry for the false positives... Best wishes, Jia-Ju Bai
[PATCH] kernel: profile: fix error return code of create_proc_profile()
When proc_create() returns NULL to entry, no error return code of
create_proc_profile() is assigned.
To fix this bug, err is assigned with -ENOMEM in this case.
Fixes: e722d8daafb9 ("profile: Convert to hotplug state machine")
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
kernel/profile.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/kernel/profile.c b/kernel/profile.c
index 6f69a4195d56..65bf03bb8a5e 100644
--- a/kernel/profile.c
+++ b/kernel/profile.c
@@ -549,8 +549,10 @@ int __ref create_proc_profile(void)
#endif
entry = proc_create("profile", S_IWUSR | S_IRUGO,
NULL, _proc_ops);
- if (!entry)
+ if (!entry) {
+ err = -ENOMEM;
goto err_state_onl;
+ }
proc_set_size(entry, (1 + prof_len) * sizeof(atomic_t));
return err;
--
2.17.1
[PATCH] kernel: kexec_file: fix error return code of kexec_calculate_store_digests()
When vzalloc() returns NULL to sha_regions, no error return code of
kexec_calculate_store_digests() is assigned.
To fix this bug, ret is assigned with -ENOMEM in this case.
Fixes: a43cac0d9dc2 ("kexec: split kexec_file syscall code to kexec_file.c")
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
kernel/kexec_file.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index 5c3447cf7ad5..33400ff051a8 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -740,8 +740,10 @@ static int kexec_calculate_store_digests(struct kimage
*image)
sha_region_sz = KEXEC_SEGMENT_MAX * sizeof(struct kexec_sha_region);
sha_regions = vzalloc(sha_region_sz);
- if (!sha_regions)
+ if (!sha_regions) {
+ ret = -ENOMEM;
goto out_free_desc;
+ }
desc->tfm = tfm;
--
2.17.1
[PATCH] net: netlink: fix error return code of netlink_proto_init()
When kcalloc() returns NULL to nl_table, no error return code of
netlink_proto_init() is assigned.
To fix this bug, err is assigned with -ENOMEM in this case.
Fixes: fab2caf62ed0 ("[NETLINK]: Call panic if nl_table allocation fails")
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
net/netlink/af_netlink.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index dd488938447f..9ab66cfb1037 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -2880,8 +2880,10 @@ static int __init netlink_proto_init(void)
BUILD_BUG_ON(sizeof(struct netlink_skb_parms) > sizeof_field(struct
sk_buff, cb));
nl_table = kcalloc(MAX_LINKS, sizeof(*nl_table), GFP_KERNEL);
- if (!nl_table)
+ if (!nl_table) {
+ err = -ENOMEM;
goto panic;
+ }
for (i = 0; i < MAX_LINKS; i++) {
if (rhashtable_init(_table[i].hash,
--
2.17.1
Re: [PATCH] net: mellanox: mlx5: fix error return code of mlx5e_stats_flower()
On 2021/3/9 16:24, Roi Dayan wrote:
On 2021-03-09 10:20 AM, Roi Dayan wrote:
On 2021-03-06 3:47 PM, Jia-Ju Bai wrote:
When mlx5e_tc_get_counter() returns NULL to counter or
mlx5_devcom_get_peer_data() returns NULL to peer_esw, no error return
code of mlx5e_stats_flower() is assigned.
To fix this bug, err is assigned with -EINVAL in these cases.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 12 +---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
index 0da69b98f38f..1f2c9da7bd35 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
@@ -4380,8 +4380,10 @@ int mlx5e_stats_flower(struct net_device
*dev, struct mlx5e_priv *priv,
if (mlx5e_is_offloaded_flow(flow) || flow_flag_test(flow, CT)) {
counter = mlx5e_tc_get_counter(flow);
- if (!counter)
+ if (!counter) {
+ err = -EINVAL;
goto errout;
+ }
mlx5_fc_query_cached(counter, , , );
}
@@ -4390,8 +4392,10 @@ int mlx5e_stats_flower(struct net_device
*dev, struct mlx5e_priv *priv,
* un-offloaded while the other rule is offloaded.
*/
peer_esw = mlx5_devcom_get_peer_data(devcom,
MLX5_DEVCOM_ESW_OFFLOADS);
- if (!peer_esw)
+ if (!peer_esw) {
+ err = -EINVAL;
note here it's not an error. it could be there is no peer esw
so just continue with the stats update.
goto out;
+ }
if (flow_flag_test(flow, DUP) &&
flow_flag_test(flow->peer_flow, OFFLOADED)) {
@@ -4400,8 +4404,10 @@ int mlx5e_stats_flower(struct net_device
*dev, struct mlx5e_priv *priv,
u64 lastuse2;
counter = mlx5e_tc_get_counter(flow->peer_flow);
- if (!counter)
+ if (!counter) {
+ err = -EINVAL;
this change is problematic. the current goto is to do stats update with
the first counter stats we got but if you now want to return an error
then you probably should not do any update at all.
Thanks for your reply :)
I am not sure whether an error code should be returned here?
If so, flow_stats_update(...) should not be called here?
Best wishes,
Jia-Ju Bai
goto no_peer_counter;
+ }
mlx5_fc_query_cached(counter, , , );
bytes += bytes2;
[PATCH] fs: orangefs: fix error return code of orangefs_revalidate_lookup()
When op_alloc() returns NULL to new_op, no error return code of
orangefs_revalidate_lookup() is assigned.
To fix this bug, ret is assigned with -ENOMEM in this case.
Fixes: 8bb8aefd5afb ("OrangeFS: Change almost all instances of the string PVFS2
to OrangeFS.")
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
fs/orangefs/dcache.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/fs/orangefs/dcache.c b/fs/orangefs/dcache.c
index fe484cf93e5c..8bbe9486e3a6 100644
--- a/fs/orangefs/dcache.c
+++ b/fs/orangefs/dcache.c
@@ -26,8 +26,10 @@ static int orangefs_revalidate_lookup(struct dentry *dentry)
gossip_debug(GOSSIP_DCACHE_DEBUG, "%s: attempting lookup.\n", __func__);
new_op = op_alloc(ORANGEFS_VFS_OP_LOOKUP);
- if (!new_op)
+ if (!new_op) {
+ ret = -ENOMEM;
goto out_put_parent;
+ }
new_op->upcall.req.lookup.sym_follow = ORANGEFS_LOOKUP_LINK_NO_FOLLOW;
new_op->upcall.req.lookup.parent_refn = parent->refn;
--
2.17.1
[PATCH] net: bridge: fix error return code of do_update_counters()
When find_table_lock() returns NULL to t, no error return code of
do_update_counters() is assigned.
To fix this bug, ret is assigned with -ENOENT in this case.
Fixes: 49facff9f925 ("netfilter: ebtables: split update_counters into two
functions")
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
net/bridge/netfilter/ebtables.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index ebe33b60efd6..66c9e4077985 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1256,8 +1256,10 @@ static int do_update_counters(struct net *net, const
char *name,
return -ENOMEM;
t = find_table_lock(net, name, , _mutex);
- if (!t)
+ if (!t) {
+ ret = -ENOENT;
goto free_tmp;
+ }
if (num_counters != t->private->nentries) {
ret = -EINVAL;
--
2.17.1
Re: [PATCH] net: ieee802154: fix error return code of dgram_sendmsg()
On 2021/3/8 21:33, Heiner Kallweit wrote: On 08.03.2021 13:18, Jia-Ju Bai wrote: On 2021/3/8 18:19, Heiner Kallweit wrote: On 08.03.2021 10:31, Jia-Ju Bai wrote: When sock_alloc_send_skb() returns NULL to skb, no error return code of dgram_sendmsg() is assigned. To fix this bug, err is assigned with -ENOMEM in this case. Please stop sending such nonsense. Basically all such patches you sent so far are false positives. You have to start thinking, don't blindly trust your robot. In the case here the err variable is populated by sock_alloc_send_skb(). Ah, sorry, it is my fault :( I did not notice that the err variable is populated by sock_alloc_send_skb(). I will think more carefully before sending patches. By the way, I wonder how to report and discuss possible bugs that I am not quite sure of? Some people told me that sending patches is better than reporting bugs via Bugzilla, so I write the patches of these possible bugs... Do you have any advice? If you're quite sure that something is a bug then sending a patch is fine. Your submissions more or less all being false positives shows that this takes more than just forwarding bot findings, especially if you have no idea yet regarding the quality of the bot. Alternatively you can contact the maintainer and respective mailing list. But again, maintainers typically are very busy and you should have done all you can to analyze the suspected bug. What I'd do being in your shoes: Take the first 10 findings of a new bot and analyze in detail whether findings are correct or false positives. Of course this means you need to get familiar with the affected code in the respective driver. If false positive ratio is > 5% I wouldn't send out patches w/o more detailed analysis per finding. Worst case a maintainer is busy and can't review your submission in time, and the incorrect fix is applied and breaks the driver. Typically this shouldn't happen however because Dave/Jakub won't apply a patch w/o Ack from the respective maintainer. Disclaimer: I can only speak for myself. Other maintainers may see this differently. Okay, thanks a lot for the very helpful advice :) I will carefully check the bug report and try my best to write correct patches. Best wishes, Jia-Ju Bai
Re: [PATCH] net: ieee802154: fix error return code of dgram_sendmsg()
On 2021/3/8 18:19, Heiner Kallweit wrote:
On 08.03.2021 10:31, Jia-Ju Bai wrote:
When sock_alloc_send_skb() returns NULL to skb, no error return code of
dgram_sendmsg() is assigned.
To fix this bug, err is assigned with -ENOMEM in this case.
Please stop sending such nonsense. Basically all such patches you
sent so far are false positives. You have to start thinking,
don't blindly trust your robot.
In the case here the err variable is populated by sock_alloc_send_skb().
Ah, sorry, it is my fault :(
I did not notice that the err variable is populated by
sock_alloc_send_skb().
I will think more carefully before sending patches.
By the way, I wonder how to report and discuss possible bugs that I am
not quite sure of?
Some people told me that sending patches is better than reporting bugs
via Bugzilla, so I write the patches of these possible bugs...
Do you have any advice?
Thanks a lot!
Best wishes,
Jia-Ju Bai
Fixes: 78f821b64826 ("ieee802154: socket: put handling into one file")
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
net/ieee802154/socket.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/ieee802154/socket.c b/net/ieee802154/socket.c
index a45a0401adc5..a750b37c7e73 100644
--- a/net/ieee802154/socket.c
+++ b/net/ieee802154/socket.c
@@ -642,8 +642,10 @@ static int dgram_sendmsg(struct sock *sk, struct msghdr
*msg, size_t size)
skb = sock_alloc_send_skb(sk, hlen + tlen + size,
msg->msg_flags & MSG_DONTWAIT,
);
- if (!skb)
+ if (!skb) {
+ err = -ENOMEM;
goto out_dev;
+ }
skb_reserve(skb, hlen);
[PATCH] block: rsxx: fix error return code of rsxx_pci_probe()
Some error handling segments of rsxx_pci_probe() do not return error code,
so add error code for these segments.
Fixes: 8722ff8cdbfa ("block: IBM RamSan 70/80 device driver")
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/block/rsxx/core.c | 18 +++---
1 file changed, 15 insertions(+), 3 deletions(-)
diff --git a/drivers/block/rsxx/core.c b/drivers/block/rsxx/core.c
index 63f549889f87..6b3b9b31a3e8 100644
--- a/drivers/block/rsxx/core.c
+++ b/drivers/block/rsxx/core.c
@@ -760,13 +760,17 @@ static int rsxx_pci_probe(struct pci_dev *dev,
pci_set_drvdata(dev, card);
st = ida_alloc(_disk_ida, GFP_KERNEL);
- if (st < 0)
+ if (st < 0) {
+ st = -ENOMEM;
goto failed_ida_get;
+ }
card->disk_id = st;
st = pci_enable_device(dev);
- if (st)
+ if (st) {
+ st = -EIO;
goto failed_enable;
+ }
pci_set_master(dev);
@@ -774,6 +778,7 @@ static int rsxx_pci_probe(struct pci_dev *dev,
if (st) {
dev_err(CARD_TO_DEV(card),
"No usable DMA configuration,aborting\n");
+ st = -EIO;
goto failed_dma_mask;
}
@@ -781,6 +786,7 @@ static int rsxx_pci_probe(struct pci_dev *dev,
if (st) {
dev_err(CARD_TO_DEV(card),
"Failed to request memory region\n");
+ st = -EIO;
goto failed_request_regions;
}
@@ -817,6 +823,7 @@ static int rsxx_pci_probe(struct pci_dev *dev,
if (st) {
dev_err(CARD_TO_DEV(card),
"Failed requesting IRQ%d\n", dev->irq);
+ st = -EINVAL;
goto failed_irq;
}
@@ -824,6 +831,7 @@ static int rsxx_pci_probe(struct pci_dev *dev,
st = rsxx_creg_setup(card);
if (st) {
dev_err(CARD_TO_DEV(card), "Failed to setup creg interface.\n");
+ st = -EINVAL;
goto failed_creg_setup;
}
@@ -862,6 +870,7 @@ static int rsxx_pci_probe(struct pci_dev *dev,
if (st) {
dev_info(CARD_TO_DEV(card),
"Failed to setup DMA engine\n");
+ st = -EINVAL;
goto failed_dma_setup;
}
@@ -869,14 +878,17 @@ static int rsxx_pci_probe(struct pci_dev *dev,
card->event_wq = create_singlethread_workqueue(DRIVER_NAME"_event");
if (!card->event_wq) {
dev_err(CARD_TO_DEV(card), "Failed card event setup.\n");
+ st = -ENOMEM;
goto failed_event_handler;
}
INIT_WORK(>event_work, card_event_handler);
st = rsxx_setup_dev(card);
- if (st)
+ if (st) {
+ st = -EINVAL;
goto failed_create_dev;
+ }
rsxx_get_card_state(card, >state);
--
2.17.1
[PATCH] net: ieee802154: fix error return code of dgram_sendmsg()
When sock_alloc_send_skb() returns NULL to skb, no error return code of
dgram_sendmsg() is assigned.
To fix this bug, err is assigned with -ENOMEM in this case.
Fixes: 78f821b64826 ("ieee802154: socket: put handling into one file")
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
net/ieee802154/socket.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/ieee802154/socket.c b/net/ieee802154/socket.c
index a45a0401adc5..a750b37c7e73 100644
--- a/net/ieee802154/socket.c
+++ b/net/ieee802154/socket.c
@@ -642,8 +642,10 @@ static int dgram_sendmsg(struct sock *sk, struct msghdr
*msg, size_t size)
skb = sock_alloc_send_skb(sk, hlen + tlen + size,
msg->msg_flags & MSG_DONTWAIT,
);
- if (!skb)
+ if (!skb) {
+ err = -ENOMEM;
goto out_dev;
+ }
skb_reserve(skb, hlen);
--
2.17.1
[PATCH] net: ieee802154: fix error return code of raw_sendmsg()
When sock_alloc_send_skb() returns NULL to skb, no error return code of
raw_sendmsg() is assigned.
To fix this bug, err is assigned with -ENOMEM in this case.
Fixes: 78f821b64826 ("ieee802154: socket: put handling into one file")
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
net/ieee802154/socket.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/ieee802154/socket.c b/net/ieee802154/socket.c
index a45a0401adc5..3d76b207385e 100644
--- a/net/ieee802154/socket.c
+++ b/net/ieee802154/socket.c
@@ -277,8 +277,10 @@ static int raw_sendmsg(struct sock *sk, struct msghdr
*msg, size_t size)
tlen = dev->needed_tailroom;
skb = sock_alloc_send_skb(sk, hlen + tlen + size,
msg->msg_flags & MSG_DONTWAIT, );
- if (!skb)
+ if (!skb) {
+ err = -ENOMEM;
goto out_dev;
+ }
skb_reserve(skb, hlen);
--
2.17.1
Re: [PATCH] gpu: drm: i915: fix error return code of igt_buddy_alloc_smoke()
On 2021/3/8 17:18, Chris Wilson wrote: Quoting Jia-Ju Bai (2021-03-08 08:59:52) When i915_random_order() returns NULL to order, no error return code of igt_buddy_alloc_smoke() is assigned. To fix this bug, err is assigned with -EINVAL in this case. It would not be EINVAL since that is used for a reference failure, but in this case the idea was to return 0 as no testing was done and the ENOMEM was raised before testing began i.e. not an internal and unexpected driver allocation failure. -Chris Okay, thanks for your reply :) Best wishes, Jia-Ju Bai
[PATCH] net: qrtr: fix error return code of qrtr_sendmsg()
When sock_alloc_send_skb() returns NULL to skb, no error return code of
qrtr_sendmsg() is assigned.
To fix this bug, rc is assigned with -ENOMEM in this case.
Fixes: 194ccc88297a ("net: qrtr: Support decoding incoming v2 packets")
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
net/qrtr/qrtr.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/qrtr/qrtr.c b/net/qrtr/qrtr.c
index b34358282f37..ac2a4a7711da 100644
--- a/net/qrtr/qrtr.c
+++ b/net/qrtr/qrtr.c
@@ -958,8 +958,10 @@ static int qrtr_sendmsg(struct socket *sock, struct msghdr
*msg, size_t len)
plen = (len + 3) & ~3;
skb = sock_alloc_send_skb(sk, plen + QRTR_HDR_MAX_SIZE,
msg->msg_flags & MSG_DONTWAIT, );
- if (!skb)
+ if (!skb) {
+ rc = -ENOMEM;
goto out_node;
+ }
skb_reserve(skb, QRTR_HDR_MAX_SIZE);
--
2.17.1
[PATCH] gpu: drm: i915: fix error return code of igt_threaded_blt()
When kcalloc() returns NULL to tsk or thread, no error code of
igt_threaded_blt() is returned.
To fix this bug, -ENOMEM is returned as error code.
Fixes: 0e99f939f08f ("drm/i915/selftests/blt: add some kthreads into the mix")
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/gpu/drm/i915/gem/selftests/i915_gem_object_blt.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/i915/gem/selftests/i915_gem_object_blt.c
b/drivers/gpu/drm/i915/gem/selftests/i915_gem_object_blt.c
index 23b6e11bbc3e..b54ba8a1fcec 100644
--- a/drivers/gpu/drm/i915/gem/selftests/i915_gem_object_blt.c
+++ b/drivers/gpu/drm/i915/gem/selftests/i915_gem_object_blt.c
@@ -471,11 +471,13 @@ static int igt_threaded_blt(struct intel_engine_cs
*engine,
tsk = kcalloc(n_cpus, sizeof(struct task_struct *), GFP_KERNEL);
if (!tsk)
- return 0;
+ return -ENOMEM;
thread = kcalloc(n_cpus, sizeof(struct igt_thread_arg), GFP_KERNEL);
- if (!thread)
+ if (!thread) {
+ err = -ENOMEM;
goto out_tsk;
+ }
thread[0].file = mock_file(engine->i915);
if (IS_ERR(thread[0].file)) {
--
2.17.1
[PATCH] gpu: drm: i915: fix error return code of igt_buddy_alloc_smoke()
When i915_random_order() returns NULL to order, no error return code of
igt_buddy_alloc_smoke() is assigned.
To fix this bug, err is assigned with -EINVAL in this case.
Fixes: 1fe3818d17c9 ("drm/i915/selftests: try to rein in alloc_smoke")
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/gpu/drm/i915/selftests/i915_buddy.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/i915/selftests/i915_buddy.c
b/drivers/gpu/drm/i915/selftests/i915_buddy.c
index 632b912b0bc9..cf9b551b77e1 100644
--- a/drivers/gpu/drm/i915/selftests/i915_buddy.c
+++ b/drivers/gpu/drm/i915/selftests/i915_buddy.c
@@ -318,8 +318,10 @@ static int igt_buddy_alloc_smoke(void *arg)
}
order = i915_random_order(mm.max_order + 1, );
- if (!order)
+ if (!order) {
+ err = -EINVAL;
goto out_fini;
+ }
for (i = 0; i <= mm.max_order; ++i) {
struct i915_buddy_block *block;
--
2.17.1
[PATCH] scsi: mpt3sas: fix error return code of mpt3sas_base_attach()
When kzalloc() returns NULL, no error return code of
mpt3sas_base_attach() is assigned.
To fix this bug, r is assigned with -ENOMEM in this case.
Fixes: c696f7b83ede ("scsi: mpt3sas: Implement device_remove_in_progress check
in IOCTL path")
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/scsi/mpt3sas/mpt3sas_base.c | 8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/mpt3sas/mpt3sas_base.c
b/drivers/scsi/mpt3sas/mpt3sas_base.c
index ac066f86bb14..ac0eef975f17 100644
--- a/drivers/scsi/mpt3sas/mpt3sas_base.c
+++ b/drivers/scsi/mpt3sas/mpt3sas_base.c
@@ -7806,14 +7806,18 @@ mpt3sas_base_attach(struct MPT3SAS_ADAPTER *ioc)
ioc->pend_os_device_add_sz++;
ioc->pend_os_device_add = kzalloc(ioc->pend_os_device_add_sz,
GFP_KERNEL);
- if (!ioc->pend_os_device_add)
+ if (!ioc->pend_os_device_add) {
+ r = -ENOMEM;
goto out_free_resources;
+ }
ioc->device_remove_in_progress_sz = ioc->pend_os_device_add_sz;
ioc->device_remove_in_progress =
kzalloc(ioc->device_remove_in_progress_sz, GFP_KERNEL);
- if (!ioc->device_remove_in_progress)
+ if (!ioc->device_remove_in_progress) {
+ r = -ENOMEM;
goto out_free_resources;
+ }
ioc->fwfault_debug = mpt3sas_fwfault_debug;
--
2.17.1
[PATCH] mtd: maps: fix error return code of physmap_flash_remove()
When platform_get_drvdata() returns NULL to info, no error return code
of physmap_flash_remove() is assigned.
To fix this bug, err is assigned with -EINVAL in this case
Fixes: 73566edf9b91 ("[MTD] Convert physmap to platform driver")
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/mtd/maps/physmap-core.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/mtd/maps/physmap-core.c b/drivers/mtd/maps/physmap-core.c
index 001ed5deb622..4f63b8430c71 100644
--- a/drivers/mtd/maps/physmap-core.c
+++ b/drivers/mtd/maps/physmap-core.c
@@ -69,8 +69,10 @@ static int physmap_flash_remove(struct platform_device *dev)
int i, err = 0;
info = platform_get_drvdata(dev);
- if (!info)
+ if (!info) {
+ err = -EINVAL;
goto out;
+ }
if (info->cmtd) {
err = mtd_device_unregister(info->cmtd);
--
2.17.1
[PATCH] scsi: qedi: fix error return code of qedi_alloc_global_queues()
When kzalloc() returns NULL to qedi->global_queues[i], no error return
code of qedi_alloc_global_queues() is assigned.
To fix this bug, status is assigned with -ENOMEM in this case.
Fixes: ace7f46ba5fd ("scsi: qedi: Add QLogic FastLinQ offload iSCSI driver
framework.")
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/scsi/qedi/qedi_main.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/scsi/qedi/qedi_main.c b/drivers/scsi/qedi/qedi_main.c
index 47ad64b06623..69c5b5ee2169 100644
--- a/drivers/scsi/qedi/qedi_main.c
+++ b/drivers/scsi/qedi/qedi_main.c
@@ -1675,6 +1675,7 @@ static int qedi_alloc_global_queues(struct qedi_ctx *qedi)
if (!qedi->global_queues[i]) {
QEDI_ERR(>dbg_ctx,
"Unable to allocation global queue %d.\n", i);
+ status = -ENOMEM;
goto mem_alloc_failure;
}
--
2.17.1
[PATCH] net: bonding: fix error return code of bond_neigh_init()
When slave is NULL or slave_ops->ndo_neigh_setup is NULL, no error
return code of bond_neigh_init() is assigned.
To fix this bug, ret is assigned with -EINVAL in these cases.
Fixes: 9e99bfefdbce ("bonding: fix bond_neigh_init()")
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/net/bonding/bond_main.c | 8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index 74cbbb22470b..456315bef3a8 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -3978,11 +3978,15 @@ static int bond_neigh_init(struct neighbour *n)
rcu_read_lock();
slave = bond_first_slave_rcu(bond);
- if (!slave)
+ if (!slave) {
+ ret = -EINVAL;
goto out;
+ }
slave_ops = slave->dev->netdev_ops;
- if (!slave_ops->ndo_neigh_setup)
+ if (!slave_ops->ndo_neigh_setup) {
+ ret = -EINVAL;
goto out;
+ }
/* TODO: find another way [1] to implement this.
* Passing a zeroed structure is fragile,
--
2.17.1
Re: [PATCH] media: platform: sunxi: sun6i-csi: fix error return code of sun6i_video_start_streaming()
On 2021/3/7 20:47, Chen-Yu Tsai wrote:
On Sat, Mar 6, 2021 at 10:15 PM Jia-Ju Bai wrote:
When sun6i_video_remote_subdev() returns NULL to subdev, no error return
code of sun6i_video_start_streaming() is assigned.
To fix this bug, ret is assigned with -EINVAL in this case.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
This should have the tag:
Fixes: 5cc7522d8965 ("media: sun6i: Add support for Allwinner CSI V3s")
Please try to add them when fixing bugs. And this should also be tagged
for stable, so
Cc:
Otherwise,
Acked-by: Chen-Yu Tsai
Thanks for the advice :)
I will add the fixes and stable tags in my future patches.
Best wishes,
Jia-Ju Bai
Re: [PATCH] ath: ath6kl: fix error return code of ath6kl_htc_rx_bundle()
Hi Leon,
I am quite sorry for my incorrect patches...
My static analysis tool reports some possible bugs about error handling
code, and thus I write some patches for the bugs that seem to be true in
my opinion.
Because I am not familiar with many device drivers, some of my reported
bugs can be false positives...
Best wishes,
Jia-Ju Bai
On 2021/3/7 17:18, Leon Romanovsky wrote:
On Sun, Mar 07, 2021 at 01:07:57AM -0800, Jia-Ju Bai wrote:
When hif_scatter_req_get() returns NULL to scat_req, no error return
code of ath6kl_htc_rx_bundle() is assigned.
To fix this bug, status is assigned with -EINVAL in this case.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/net/wireless/ath/ath6kl/htc_mbox.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/ath/ath6kl/htc_mbox.c
b/drivers/net/wireless/ath/ath6kl/htc_mbox.c
index 998947ef63b6..3f8857d19a0c 100644
--- a/drivers/net/wireless/ath/ath6kl/htc_mbox.c
+++ b/drivers/net/wireless/ath/ath6kl/htc_mbox.c
@@ -1944,8 +1944,10 @@ static int ath6kl_htc_rx_bundle(struct htc_target
*target,
scat_req = hif_scatter_req_get(target->dev->ar);
- if (scat_req == NULL)
+ if (scat_req == NULL) {
+ status = -EINVAL;
I'm not sure about it.
David. Jakub,
Please be warned that patches from this guy are not so great.
I looked on 4 patches and 3 of them were wrong (2 in RDMA and 1 for mlx5)
plus this patch most likely is incorrect too.
[PATCH] gpu: drm: amd: amdgpu: fix error return code of amdgpu_acpi_init()
Add error return code in error hanlding code of amdgpu_acpi_init().
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c
b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c
index 8155c54392c8..156f30d5a2c0 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c
@@ -788,12 +788,15 @@ int amdgpu_acpi_init(struct amdgpu_device *adev)
/* Probe for ATIF, and initialize it if found */
atif_handle = amdgpu_atif_probe_handle(handle);
- if (!atif_handle)
+ if (!atif_handle) {
+ ret = -EINVAL;
goto out;
+ }
atif = kzalloc(sizeof(*atif), GFP_KERNEL);
if (!atif) {
DRM_WARN("Not enough memory to initialize ATIF\n");
+ ret = -ENOMEM;
goto out;
}
atif->handle = atif_handle;
@@ -803,6 +806,7 @@ int amdgpu_acpi_init(struct amdgpu_device *adev)
if (ret) {
DRM_DEBUG_DRIVER("Call to ATIF verify_interface failed: %d\n",
ret);
kfree(atif);
+ ret = -EINVAL;
goto out;
}
adev->atif = atif;
--
2.17.1
[PATCH] net: wan: fix error return code of uhdlc_init()
When priv->rx_skbuff or priv->tx_skbuff is NULL, no error return code of
uhdlc_init() is assigned.
To fix this bug, ret is assigned with -ENOMEM in these cases.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/net/wan/fsl_ucc_hdlc.c | 8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wan/fsl_ucc_hdlc.c b/drivers/net/wan/fsl_ucc_hdlc.c
index dca97cd7c4e7..7eac6a3e1cde 100644
--- a/drivers/net/wan/fsl_ucc_hdlc.c
+++ b/drivers/net/wan/fsl_ucc_hdlc.c
@@ -204,14 +204,18 @@ static int uhdlc_init(struct ucc_hdlc_private *priv)
priv->rx_skbuff = kcalloc(priv->rx_ring_size,
sizeof(*priv->rx_skbuff),
GFP_KERNEL);
- if (!priv->rx_skbuff)
+ if (!priv->rx_skbuff) {
+ ret = -ENOMEM;
goto free_ucc_pram;
+ }
priv->tx_skbuff = kcalloc(priv->tx_ring_size,
sizeof(*priv->tx_skbuff),
GFP_KERNEL);
- if (!priv->tx_skbuff)
+ if (!priv->tx_skbuff) {
+ ret = -ENOMEM;
goto free_rx_skbuff;
+ }
priv->skb_curtx = 0;
priv->skb_dirtytx = 0;
--
2.17.1
[PATCH] ath: ath6kl: fix error return code of ath6kl_htc_rx_bundle()
When hif_scatter_req_get() returns NULL to scat_req, no error return
code of ath6kl_htc_rx_bundle() is assigned.
To fix this bug, status is assigned with -EINVAL in this case.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/net/wireless/ath/ath6kl/htc_mbox.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/ath/ath6kl/htc_mbox.c
b/drivers/net/wireless/ath/ath6kl/htc_mbox.c
index 998947ef63b6..3f8857d19a0c 100644
--- a/drivers/net/wireless/ath/ath6kl/htc_mbox.c
+++ b/drivers/net/wireless/ath/ath6kl/htc_mbox.c
@@ -1944,8 +1944,10 @@ static int ath6kl_htc_rx_bundle(struct htc_target
*target,
scat_req = hif_scatter_req_get(target->dev->ar);
- if (scat_req == NULL)
+ if (scat_req == NULL) {
+ status = -EINVAL;
goto fail_rx_pkt;
+ }
for (i = 0; i < n_scat_pkt; i++) {
int pad_len;
--
2.17.1
[PATCH] usb: renesas_usbhs: fix error return code of usbhsf_pkt_handler()
When __usbhsf_pkt_get() returns NULL to pkt, no error return code of
usbhsf_pkt_handler() is assigned.
To fix this bug, ret is assigned with -EINVAL in this case.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/usb/renesas_usbhs/fifo.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/renesas_usbhs/fifo.c b/drivers/usb/renesas_usbhs/fifo.c
index e6fa13701808..b5e7991dc7d9 100644
--- a/drivers/usb/renesas_usbhs/fifo.c
+++ b/drivers/usb/renesas_usbhs/fifo.c
@@ -160,8 +160,10 @@ static int usbhsf_pkt_handler(struct usbhs_pipe *pipe, int
type)
usbhs_lock(priv, flags);
pkt = __usbhsf_pkt_get(pipe);
- if (!pkt)
+ if (!pkt) {
+ ret = -EINVAL;
goto __usbhs_pkt_handler_end;
+ }
switch (type) {
case USBHSF_PKT_PREPARE:
--
2.17.1
[PATCH resend] usb: gadget: legacy: fix error return code of msg_bind()
When usb_otg_descriptor_alloc() returns NULL to usb_desc, no error
return code of msg_bind() is assigned.
To fix this bug, status is assigned with -ENOMEM in this case.
Reported-by: TOTE Robot >
Signed-off-by: Jia-Ju Bai
---
drivers/usb/gadget/legacy/mass_storage.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/gadget/legacy/mass_storage.c
b/drivers/usb/gadget/legacy/mass_storage.c
index 9ed22c5fb7fe..ac1741126619 100644
--- a/drivers/usb/gadget/legacy/mass_storage.c
+++ b/drivers/usb/gadget/legacy/mass_storage.c
@@ -175,8 +175,10 @@ static int msg_bind(struct usb_composite_dev *cdev)
struct usb_descriptor_header *usb_desc;
usb_desc = usb_otg_descriptor_alloc(cdev->gadget);
- if (!usb_desc)
+ if (!usb_desc) {
+ status = -ENOMEM;
goto fail_string_ids;
+ }
usb_otg_descriptor_init(cdev->gadget, usb_desc);
otg_desc[0] = usb_desc;
otg_desc[1] = NULL;
--
2.17.1
[PATCH] usb: gadget: legacy: fix error return code of msg_bind()
When usb_otg_descriptor_alloc() returns NULL to usb_desc, no error
return code of msg_bind() is assigned.
To fix this bug, status is assigned with -ENOMEM in this case.
Reported-by: TOTE Robot >
Signed-off-by: Jia-Ju Bai
---
drivers/usb/gadget/legacy/mass_storage.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/gadget/legacy/mass_storage.c
b/drivers/usb/gadget/legacy/mass_storage.c
index 9ed22c5fb7fe..ac1741126619 100644
--- a/drivers/usb/gadget/legacy/mass_storage.c
+++ b/drivers/usb/gadget/legacy/mass_storage.c
@@ -175,8 +175,10 @@ static int msg_bind(struct usb_composite_dev *cdev)
struct usb_descriptor_header *usb_desc;
usb_desc = usb_otg_descriptor_alloc(cdev->gadget);
- if (!usb_desc)
+ if (!usb_desc) {
+ status = -ENOMEM;
goto fail_string_ids;
+ }
usb_otg_descriptor_init(cdev->gadget, usb_desc);
otg_desc[0] = usb_desc;
otg_desc[1] = NULL;
--
2.17.1
[PATCH] usb: gadget: legacy: fix error return code of multi_bind()
When usb_otg_descriptor_alloc() returns NULL to usb_desc, no error
return code of multi_bind() is assigned.
To fix this bug, status is assigned with -ENOMEM in this case.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/usb/gadget/legacy/multi.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/gadget/legacy/multi.c
b/drivers/usb/gadget/legacy/multi.c
index ec9749845660..7734bf77b309 100644
--- a/drivers/usb/gadget/legacy/multi.c
+++ b/drivers/usb/gadget/legacy/multi.c
@@ -399,8 +399,10 @@ static int __ref multi_bind(struct usb_composite_dev *cdev)
struct usb_descriptor_header *usb_desc;
usb_desc = usb_otg_descriptor_alloc(gadget);
- if (!usb_desc)
+ if (!usb_desc) {
+ status = -ENOMEM;
goto fail_string_ids;
+ }
usb_otg_descriptor_init(gadget, usb_desc);
otg_desc[0] = usb_desc;
otg_desc[1] = NULL;
--
2.17.1
[PATCH] net: hisilicon: hns: fix error return code of hns_nic_clear_all_rx_fetch()
When hns_assemble_skb() returns NULL to skb, no error return code of
hns_nic_clear_all_rx_fetch() is assigned.
To fix this bug, ret is assigned with -ENOMEM in this case.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/net/ethernet/hisilicon/hns/hns_enet.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/hisilicon/hns/hns_enet.c
b/drivers/net/ethernet/hisilicon/hns/hns_enet.c
index 5d7824d2b4d4..c66a7a51198e 100644
--- a/drivers/net/ethernet/hisilicon/hns/hns_enet.c
+++ b/drivers/net/ethernet/hisilicon/hns/hns_enet.c
@@ -1663,8 +1663,10 @@ static int hns_nic_clear_all_rx_fetch(struct net_device
*ndev)
for (j = 0; j < fetch_num; j++) {
/* alloc one skb and init */
skb = hns_assemble_skb(ndev);
- if (!skb)
+ if (!skb) {
+ ret = -ENOMEM;
goto out;
+ }
rd = _ring_data(priv, skb->queue_mapping);
hns_nic_net_xmit_hw(ndev, skb, rd);
--
2.17.1
[PATCH] rsi: fix error return code of rsi_load_9116_firmware()
When kmemdup() returns NULL to ta_firmware, no error return code of
rsi_load_9116_firmware() is assigned.
To fix this bug, status is assigned with -ENOMEM in this case.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/net/wireless/rsi/rsi_91x_hal.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/rsi/rsi_91x_hal.c
b/drivers/net/wireless/rsi/rsi_91x_hal.c
index ce9892152f4d..32ecb8b3d6c5 100644
--- a/drivers/net/wireless/rsi/rsi_91x_hal.c
+++ b/drivers/net/wireless/rsi/rsi_91x_hal.c
@@ -1038,8 +1038,10 @@ static int rsi_load_9116_firmware(struct rsi_hw *adapter)
}
ta_firmware = kmemdup(fw_entry->data, fw_entry->size, GFP_KERNEL);
- if (!ta_firmware)
+ if (!ta_firmware) {
+ status = -ENOMEM;
goto fail_release_fw;
+ }
fw_p = ta_firmware;
instructions_sz = fw_entry->size;
rsi_dbg(INFO_ZONE, "FW Length = %d bytes\n", instructions_sz);
--
2.17.1
[PATCH] ti: wlcore: fix error return code of wl1271_cmd_build_ps_poll()
When ieee80211_pspoll_get() returns NULL to skb, no error return code of
wl1271_cmd_build_ps_poll() is assigned.
To fix this bug, ret is assigned with -ENOMEM in this case.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/net/wireless/ti/wlcore/cmd.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/ti/wlcore/cmd.c
b/drivers/net/wireless/ti/wlcore/cmd.c
index 32a2e27cc561..7bf8b8201fdd 100644
--- a/drivers/net/wireless/ti/wlcore/cmd.c
+++ b/drivers/net/wireless/ti/wlcore/cmd.c
@@ -1120,8 +1120,10 @@ int wl1271_cmd_build_ps_poll(struct wl1271 *wl, struct
wl12xx_vif *wlvif,
int ret = 0;
skb = ieee80211_pspoll_get(wl->hw, vif);
- if (!skb)
+ if (!skb) {
+ ret = -ENOMEM;
goto out;
+ }
ret = wl1271_cmd_template_set(wl, wlvif->role_id,
CMD_TEMPL_PS_POLL, skb->data,
--
2.17.1
[PATCH] ti: wlcore: fix error return code of wl1271_suspend()
When wl is NULL, no error return code of wl1271_suspend() is assigned.
To fix this bug, ret is assigned with -EINVAL in this case.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/net/wireless/ti/wlcore/sdio.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/wireless/ti/wlcore/sdio.c
b/drivers/net/wireless/ti/wlcore/sdio.c
index 9fd8cf2d270c..a040d595a43a 100644
--- a/drivers/net/wireless/ti/wlcore/sdio.c
+++ b/drivers/net/wireless/ti/wlcore/sdio.c
@@ -390,6 +390,7 @@ static int wl1271_suspend(struct device *dev)
if (!wl) {
dev_err(dev, "no wilink module was probed\n");
+ ret = -EINVAL;
goto out;
}
--
2.17.1
[PATCH] media: tuners: fix error return code of hybrid_tuner_request_state()
When kzalloc() fails and state is NULL, no error return code is
assigned.
To fix this bug, __ret is assigned with -ENOMEM in this case.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/media/tuners/tuner-i2c.h | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/media/tuners/tuner-i2c.h b/drivers/media/tuners/tuner-i2c.h
index 724952e001cd..26cf7da29f30 100644
--- a/drivers/media/tuners/tuner-i2c.h
+++ b/drivers/media/tuners/tuner-i2c.h
@@ -133,8 +133,10 @@ static inline int tuner_i2c_xfer_send_recv(struct
tuner_i2c_props *props,
} \
if (0 == __ret) { \
state = kzalloc(sizeof(type), GFP_KERNEL); \
- if (NULL == state) \
+ if (NULL == state) {\
+ __ret = -ENOMEM;\
goto __fail;\
+ } \
state->i2c_props.addr = i2caddr;\
state->i2c_props.adap = i2cadap;\
state->i2c_props.name = devname;\
--
2.17.1
[PATCH] media: platform: sunxi: sun6i-csi: fix error return code of sun6i_video_start_streaming()
When sun6i_video_remote_subdev() returns NULL to subdev, no error return
code of sun6i_video_start_streaming() is assigned.
To fix this bug, ret is assigned with -EINVAL in this case.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/media/platform/sunxi/sun6i-csi/sun6i_video.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/media/platform/sunxi/sun6i-csi/sun6i_video.c
b/drivers/media/platform/sunxi/sun6i-csi/sun6i_video.c
index b55de9ab64d8..3181d0781b61 100644
--- a/drivers/media/platform/sunxi/sun6i-csi/sun6i_video.c
+++ b/drivers/media/platform/sunxi/sun6i-csi/sun6i_video.c
@@ -151,8 +151,10 @@ static int sun6i_video_start_streaming(struct vb2_queue
*vq, unsigned int count)
}
subdev = sun6i_video_remote_subdev(video, NULL);
- if (!subdev)
+ if (!subdev) {
+ ret = -EINVAL;
goto stop_media_pipeline;
+ }
config.pixelformat = video->fmt.fmt.pix.pixelformat;
config.code = video->mbus_code;
--
2.17.1
[PATCH] thermal: thermal_of: fix error return code of thermal_of_populate_bind_params()
When kcalloc() fails and __tcbp is NULL, no error return code of
thermal_of_populate_bind_params() is assigned.
To fix this bug, ret is assigned with -ENOMEM in this case.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/thermal/thermal_of.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/thermal/thermal_of.c b/drivers/thermal/thermal_of.c
index 69ef12f852b7..e8c9041482e9 100644
--- a/drivers/thermal/thermal_of.c
+++ b/drivers/thermal/thermal_of.c
@@ -710,8 +710,10 @@ static int thermal_of_populate_bind_params(struct
device_node *np,
}
__tcbp = kcalloc(count, sizeof(*__tcbp), GFP_KERNEL);
- if (!__tcbp)
+ if (!__tcbp) {
+ ret = -ENOMEM;
goto end;
+ }
for (i = 0; i < count; i++) {
ret = of_parse_phandle_with_args(np, "cooling-device",
--
2.17.1
[PATCH] net: mellanox: mlxsw: fix error return code of mlxsw_sp_router_nve_promote_decap()
When fib_entry is NULL, no error return code of
mlxsw_sp_router_nve_promote_decap() is assigned.
To fix this bug, err is assigned with -EINVAL in this case.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
index 9ce90841f92d..7b260e25df1b 100644
--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
+++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
@@ -1981,8 +1981,10 @@ int mlxsw_sp_router_nve_promote_decap(struct mlxsw_sp
*mlxsw_sp, u32 ul_tb_id,
fib_entry = mlxsw_sp_router_ip2me_fib_entry_find(mlxsw_sp, ul_tb_id,
ul_proto, ul_sip,
type);
- if (!fib_entry)
+ if (!fib_entry) {
+ err = -EINVAL;
goto out;
+ }
fib_entry->decap.tunnel_index = tunnel_index;
fib_entry->type = MLXSW_SP_FIB_ENTRY_TYPE_NVE_DECAP;
--
2.17.1
[PATCH] infiniband: hw: cxgb4: fix error return code of close_listsrv_rpl()
When ep is NULL, no error code of close_listsrv_rpl() is returned.
To fix this bug, close_listsrv_rpl() returns -EINVAL in this case.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/infiniband/hw/cxgb4/cm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c
index 8769e7aa097f..94492d2dfdc7 100644
--- a/drivers/infiniband/hw/cxgb4/cm.c
+++ b/drivers/infiniband/hw/cxgb4/cm.c
@@ -2400,7 +2400,7 @@ static int close_listsrv_rpl(struct c4iw_dev *dev, struct
sk_buff *skb)
if (!ep) {
pr_warn("%s stid %d lookup failure!\n", __func__, stid);
- goto out;
+ return -EINVAL;
}
pr_debug("ep %p\n", ep);
c4iw_wake_up_noref(ep->com.wr_waitp, status2errno(rpl->status));
--
2.17.1
[PATCH] infiniband: hw: cxgb4: fix error return code of pass_open_rpl()
When ep is NULL, no error code of pass_open_rpl() is returned.
To fix this bug, pass_open_rpl() returns -EINVAL in this case.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/infiniband/hw/cxgb4/cm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c
index 8769e7aa097f..773d3805bb25 100644
--- a/drivers/infiniband/hw/cxgb4/cm.c
+++ b/drivers/infiniband/hw/cxgb4/cm.c
@@ -2382,7 +2382,7 @@ static int pass_open_rpl(struct c4iw_dev *dev, struct
sk_buff *skb)
if (!ep) {
pr_warn("%s stid %d lookup failure!\n", __func__, stid);
- goto out;
+ return -EINVAL;
}
pr_debug("ep %p status %d error %d\n", ep,
rpl->status, status2errno(rpl->status));
--
2.17.1
[PATCH] net: mellanox: mlx5: fix error return code of mlx5e_stats_flower()
When mlx5e_tc_get_counter() returns NULL to counter or
mlx5_devcom_get_peer_data() returns NULL to peer_esw, no error return
code of mlx5e_stats_flower() is assigned.
To fix this bug, err is assigned with -EINVAL in these cases.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 12 +---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
index 0da69b98f38f..1f2c9da7bd35 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
@@ -4380,8 +4380,10 @@ int mlx5e_stats_flower(struct net_device *dev, struct
mlx5e_priv *priv,
if (mlx5e_is_offloaded_flow(flow) || flow_flag_test(flow, CT)) {
counter = mlx5e_tc_get_counter(flow);
- if (!counter)
+ if (!counter) {
+ err = -EINVAL;
goto errout;
+ }
mlx5_fc_query_cached(counter, , , );
}
@@ -4390,8 +4392,10 @@ int mlx5e_stats_flower(struct net_device *dev, struct
mlx5e_priv *priv,
* un-offloaded while the other rule is offloaded.
*/
peer_esw = mlx5_devcom_get_peer_data(devcom, MLX5_DEVCOM_ESW_OFFLOADS);
- if (!peer_esw)
+ if (!peer_esw) {
+ err = -EINVAL;
goto out;
+ }
if (flow_flag_test(flow, DUP) &&
flow_flag_test(flow->peer_flow, OFFLOADED)) {
@@ -4400,8 +4404,10 @@ int mlx5e_stats_flower(struct net_device *dev, struct
mlx5e_priv *priv,
u64 lastuse2;
counter = mlx5e_tc_get_counter(flow->peer_flow);
- if (!counter)
+ if (!counter) {
+ err = -EINVAL;
goto no_peer_counter;
+ }
mlx5_fc_query_cached(counter, , , );
bytes += bytes2;
--
2.17.1
[PATCH] rpmsg: qcom_glink_native: fix error return code of qcom_glink_rx_data()
When idr_find() returns NULL to intent, no error return code of qcom_glink_rx_data() is assigned. To fix this bug, ret is assigned with -ENOENT in this case. Reported-by: TOTE Robot Signed-off-by: Jia-Ju Bai --- drivers/rpmsg/qcom_glink_native.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/rpmsg/qcom_glink_native.c b/drivers/rpmsg/qcom_glink_native.c index 27a05167c18c..4840886532ff 100644 --- a/drivers/rpmsg/qcom_glink_native.c +++ b/drivers/rpmsg/qcom_glink_native.c @@ -857,6 +857,7 @@ static int qcom_glink_rx_data(struct qcom_glink *glink, size_t avail) dev_err(glink->dev, "no intent found for channel %s intent %d", channel->name, liid); + ret = -ENOENT; goto advance_rx; } } -- 2.17.1
[PATCH] interconnect: core: fix error return code of icc_link_destroy()
When krealloc() fails and new is NULL, no error return code of icc_link_destroy() is assigned. To fix this bug, ret is assigned with -ENOMEM hen new is NULL. Reported-by: TOTE Robot Signed-off-by: Jia-Ju Bai --- drivers/interconnect/core.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/interconnect/core.c b/drivers/interconnect/core.c index 5ad519c9f239..8a1e70e00876 100644 --- a/drivers/interconnect/core.c +++ b/drivers/interconnect/core.c @@ -942,6 +942,8 @@ int icc_link_destroy(struct icc_node *src, struct icc_node *dst) GFP_KERNEL); if (new) src->links = new; + else + ret = -ENOMEM; out: mutex_unlock(_lock); -- 2.17.1
[PATCH] staging: vc04_services: vchiq_arm: fix error return code of vchiq_release_internal() and vchiq_use_internal()
When arm_state is NULL, no error return code of vchiq_release_internal()
and vchiq_use_internal() is assigned.
To fix this bug, ret is assigned with VCHIQ_ERROR.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
.../staging/vc04_services/interface/vchiq_arm/vchiq_arm.c | 8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
index 59e45dc03a97..8b2b4771f420 100644
--- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
+++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
@@ -2332,8 +2332,10 @@ vchiq_use_internal(struct vchiq_state *state, struct
vchiq_service *service,
int *entity_uc;
int local_uc;
- if (!arm_state)
+ if (!arm_state) {
+ ret = VCHIQ_ERROR;
goto out;
+ }
vchiq_log_trace(vchiq_susp_log_level, "%s", __func__);
@@ -2389,8 +2391,10 @@ vchiq_release_internal(struct vchiq_state *state, struct
vchiq_service *service)
char entity[16];
int *entity_uc;
- if (!arm_state)
+ if (!arm_state) {
+ ret = VCHIQ_ERROR;
goto out;
+ }
vchiq_log_trace(vchiq_susp_log_level, "%s", __func__);
--
2.17.1
[PATCH] security: tomoyo: fix error return code of tomoyo_update_domain()
When mutex_lock_interruptible() fails, the error return code of
tomoyo_update_domain() is not properly assigned.
To fix this bug, error is assigned with the return value of
mutex_lock_interruptible(), and then error is checked.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
security/tomoyo/domain.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/security/tomoyo/domain.c b/security/tomoyo/domain.c
index 98d985895ec8..7b9f9664dbe3 100644
--- a/security/tomoyo/domain.c
+++ b/security/tomoyo/domain.c
@@ -118,7 +118,8 @@ int tomoyo_update_domain(struct tomoyo_acl_info *new_entry,
const int size,
->perm == 1 << TOMOYO_TYPE_EXECUTE))
goto out;
}
- if (mutex_lock_interruptible(_policy_lock))
+ error = mutex_lock_interruptible(_policy_lock);
+ if (error)
goto out;
list_for_each_entry_rcu(entry, list, list,
srcu_read_lock_held(_ss)) {
--
2.17.1
[PATCH] pinctrl: ti: fix error return code of ti_iodelay_probe()
When ti_iodelay_pinconf_init_dev() fails, no error return code of ti_iodelay_probe() is assigned. To fix this bug, ret is assigned with the return value of ti_iodelay_pinconf_init_dev(), and then ret is checked. Reported-by: TOTE Robot Signed-off-by: Jia-Ju Bai --- drivers/pinctrl/ti/pinctrl-ti-iodelay.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/pinctrl/ti/pinctrl-ti-iodelay.c b/drivers/pinctrl/ti/pinctrl-ti-iodelay.c index 60a67139ff0a..e5848269175a 100644 --- a/drivers/pinctrl/ti/pinctrl-ti-iodelay.c +++ b/drivers/pinctrl/ti/pinctrl-ti-iodelay.c @@ -867,7 +867,8 @@ static int ti_iodelay_probe(struct platform_device *pdev) goto exit_out; } - if (ti_iodelay_pinconf_init_dev(iod)) + ret = ti_iodelay_pinconf_init_dev(iod); + if (ret) goto exit_out; ret = ti_iodelay_alloc_pins(dev, iod, res->start); -- 2.17.1
[PATCH] base: dd: fix error return code of driver_sysfs_add()
When device_create_file() fails and returns a non-zero value, no error return code of driver_sysfs_add() is assigned. To fix this bug, ret is assigned with the return value of device_create_file(), and then ret is checked. Reported-by: TOTE Robot Signed-off-by: Jia-Ju Bai --- drivers/base/dd.c | 7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/base/dd.c b/drivers/base/dd.c index 9179825ff646..f94bbef95258 100644 --- a/drivers/base/dd.c +++ b/drivers/base/dd.c @@ -413,8 +413,11 @@ static int driver_sysfs_add(struct device *dev) if (ret) goto rm_dev; - if (!IS_ENABLED(CONFIG_DEV_COREDUMP) || !dev->driver->coredump || - !device_create_file(dev, _attr_coredump)) + if (!IS_ENABLED(CONFIG_DEV_COREDUMP) || !dev->driver->coredump) + return 0; + + ret = device_create_file(dev, _attr_coredump); + if (!ret) return 0; sysfs_remove_link(>kobj, "driver"); -- 2.17.1
[PATCH] net: smc: fix error return code of smc_diag_dump_proto()
When the list of head is empty, no error return code of
smc_diag_dump_proto() is assigned.
To fix this bug, rc is assigned with -ENOENT as error return code.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
net/smc/smc_diag.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/smc/smc_diag.c b/net/smc/smc_diag.c
index c952986a6aca..a90889482842 100644
--- a/net/smc/smc_diag.c
+++ b/net/smc/smc_diag.c
@@ -201,8 +201,10 @@ static int smc_diag_dump_proto(struct proto *prot, struct
sk_buff *skb,
read_lock(>h.smc_hash->lock);
head = >h.smc_hash->ht;
- if (hlist_empty(head))
+ if (hlist_empty(head)) {
+ rc = -ENOENT;
goto out;
+ }
sk_for_each(sk, head) {
if (!net_eq(sock_net(sk), net))
--
2.17.1
[PATCH] scsi: ufs: fix error return code of exynos_ufs_get_clk_info()
When the list of head is empty, no error return code of
exynos_ufs_get_clk_info() is assigned.
To fix this bug, ret is assigned with -ENOENT as error return code.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/scsi/ufs/ufs-exynos.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/scsi/ufs/ufs-exynos.c b/drivers/scsi/ufs/ufs-exynos.c
index 267943a13a94..d67652e5cc34 100644
--- a/drivers/scsi/ufs/ufs-exynos.c
+++ b/drivers/scsi/ufs/ufs-exynos.c
@@ -264,8 +264,10 @@ static int exynos_ufs_get_clk_info(struct exynos_ufs *ufs)
u8 div = 0;
int ret = 0;
- if (list_empty(head))
+ if (list_empty(head)) {
+ ret = -ENOENT;
goto out;
+ }
list_for_each_entry(clki, head, list) {
if (!IS_ERR(clki->clk)) {
--
2.17.1
[PATCH] scsi: ufs: fix error return code of ufshcd_set_clk_freq()
When the list of head is empty, no error return code of
ufshcd_set_clk_freq() is assigned.
To fix this bug, ret is assigned with -ENOENT as error return code.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/scsi/ufs/ufshcd.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
index 77161750c9fb..79899acb3ef6 100644
--- a/drivers/scsi/ufs/ufshcd.c
+++ b/drivers/scsi/ufs/ufshcd.c
@@ -970,8 +970,10 @@ static int ufshcd_set_clk_freq(struct ufs_hba *hba, bool
scale_up)
struct ufs_clk_info *clki;
struct list_head *head = >clk_list_head;
- if (list_empty(head))
+ if (list_empty(head)) {
+ ret = -ENOENT;
goto out;
+ }
list_for_each_entry(clki, head, list) {
if (!IS_ERR_OR_NULL(clki->clk)) {
--
2.17.1
[PATCH] scsi: ufs: fix error return code of ufshcd_devfreq_target()
When the list of clk_list is empty, no error return code of
ufshcd_devfreq_target() is assigned.
To fix this bug, ret is assigned with -ENOENT as error return code.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/scsi/ufs/ufshcd.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
index 77161750c9fb..d31aae56fd96 100644
--- a/drivers/scsi/ufs/ufshcd.c
+++ b/drivers/scsi/ufs/ufshcd.c
@@ -1337,6 +1337,7 @@ static int ufshcd_devfreq_target(struct device *dev,
if (list_empty(clk_list)) {
spin_unlock_irqrestore(hba->host->host_lock, irq_flags);
+ ret = -ENOENT;
goto out;
}
--
2.17.1
[PATCH] scsi: ufs: fix error return code of ufshcd_init_clocks()
When the list of head is empty, no error return code of
ufshcd_init_clocks() is assigned.
To fix this bug, ret is assigned with -ENOENT as error return code.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/scsi/ufs/ufshcd.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
index 77161750c9fb..6a3e47d8f98f 100644
--- a/drivers/scsi/ufs/ufshcd.c
+++ b/drivers/scsi/ufs/ufshcd.c
@@ -8273,8 +8273,10 @@ static int ufshcd_init_clocks(struct ufs_hba *hba)
struct device *dev = hba->dev;
struct list_head *head = >clk_list_head;
- if (list_empty(head))
+ if (list_empty(head)) {
+ ret = -ENOENT;
goto out;
+ }
list_for_each_entry(clki, head, list) {
if (!clki->name)
--
2.17.1
[PATCH] media: platform: xilinx: fix error return code of xvip_graph_init()
When the list of xdev->notifier.asd_list is empty, no error return code
of xvip_graph_init() is assigned.
To fix this bug, ret is assigned with -ENOENT as error return code.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/media/platform/xilinx/xilinx-vipp.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/media/platform/xilinx/xilinx-vipp.c
b/drivers/media/platform/xilinx/xilinx-vipp.c
index bf4015d852e3..2ce31d7ce1a6 100644
--- a/drivers/media/platform/xilinx/xilinx-vipp.c
+++ b/drivers/media/platform/xilinx/xilinx-vipp.c
@@ -525,6 +525,7 @@ static int xvip_graph_init(struct xvip_composite_device
*xdev)
if (list_empty(>notifier.asd_list)) {
dev_err(xdev->dev, "no subdev found in graph\n");
+ ret = -ENOENT;
goto done;
}
--
2.17.1
[PATCH] fs: btrfs: fix error return code of btrfs_recover_relocation()
When the list of reloc_roots is empty, no error return code of
btrfs_recover_relocation() is assigned.
To fix this bug, err is assigned with -ENOENT as error return code.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
fs/btrfs/relocation.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c
index 232d5da7b7be..631b672a852f 100644
--- a/fs/btrfs/relocation.c
+++ b/fs/btrfs/relocation.c
@@ -3817,8 +3817,10 @@ int btrfs_recover_relocation(struct btrfs_root *root)
}
btrfs_release_path(path);
- if (list_empty(_roots))
+ if (list_empty(_roots)) {
+ err = -ENOENT;
goto out;
+ }
rc = alloc_reloc_control(fs_info);
if (!rc) {
--
2.17.1
[PATCH] net: xdp: fix error return code of xsk_generic_xmit()
When err is zero but xskq_prod_reserve() fails, no error return code of
xsk_generic_xmit() is assigned.
To fix this bug, err is assigned with the return value of
xskq_prod_reserve(), and then err is checked.
The spinlock is only used to protect the call to xskq_prod_reserve().
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
net/xdp/xsk.c | 8 +++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c
index 4faabd1ecfd1..f1c1db07dd07 100644
--- a/net/xdp/xsk.c
+++ b/net/xdp/xsk.c
@@ -484,8 +484,14 @@ static int xsk_generic_xmit(struct sock *sk)
* if there is space in it. This avoids having to implement
* any buffering in the Tx path.
*/
+ if (unlikely(err)) {
+ kfree_skb(skb);
+ goto out;
+ }
+
spin_lock_irqsave(>pool->cq_lock, flags);
- if (unlikely(err) || xskq_prod_reserve(xs->pool->cq)) {
+ err = xskq_prod_reserve(xs->pool->cq);
+ if (unlikely(err)) {
spin_unlock_irqrestore(>pool->cq_lock, flags);
kfree_skb(skb);
goto out;
--
2.17.1
[PATCH] scsi: ufs: fix error return code of ufshcd_populate_vreg()
When np is NULL or of_parse_phandle() returns NULL, no error return code
of ufshcd_populate_vreg() is assigned.
To fix this bug, ret is assigned with -EINVAL or -ENOENT as error return
code.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/scsi/ufs/ufshcd-pltfrm.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/scsi/ufs/ufshcd-pltfrm.c b/drivers/scsi/ufs/ufshcd-pltfrm.c
index 1a69949a4ea1..9f11c416a919 100644
--- a/drivers/scsi/ufs/ufshcd-pltfrm.c
+++ b/drivers/scsi/ufs/ufshcd-pltfrm.c
@@ -113,6 +113,7 @@ static int ufshcd_populate_vreg(struct device *dev, const
char *name,
if (!np) {
dev_err(dev, "%s: non DT initialization\n", __func__);
+ ret = -EINVAL;
goto out;
}
@@ -120,6 +121,7 @@ static int ufshcd_populate_vreg(struct device *dev, const
char *name,
if (!of_parse_phandle(np, prop_name, 0)) {
dev_info(dev, "%s: Unable to find %s regulator, assuming
enabled\n",
__func__, prop_name);
+ ret = -ENOENT;
goto out;
}
--
2.17.1
Re: [PATCH] md: bcache: fix error return code of cached_dev_cache_miss()
Hi Coly,
Thanks a lot for your detailed explanation :)
Best wishes,
Jia-Ju Bai
On 2021/3/5 12:05, Coly Li wrote:
On 3/5/21 10:46 AM, Jia-Ju Bai wrote:
When bch_bio_alloc_pages() fails, no error return code of
cached_dev_cache_miss() is assigned.
To fix this bug, ret is assigned with -ENOMEN as error return code.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/md/bcache/request.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/md/bcache/request.c b/drivers/md/bcache/request.c
index 29c231758293..9ecaf26c8d60 100644
--- a/drivers/md/bcache/request.c
+++ b/drivers/md/bcache/request.c
@@ -930,8 +930,10 @@ static int cached_dev_cache_miss(struct btree *b, struct
search *s,
cache_bio->bi_private= >cl;
bch_bio_map(cache_bio, NULL);
- if (bch_bio_alloc_pages(cache_bio, __GFP_NOWARN|GFP_NOIO))
+ if (bch_bio_alloc_pages(cache_bio, __GFP_NOWARN|GFP_NOIO)) {
+ ret = -ENOMEM;
goto out_put;
+ }
if (reada)
bch_mark_cache_readahead(s->iop.c, s->d);
Thanks for looking at bcache :-)
Without the above change, -EINTR will be returned. -EINTR is special in
bache's btree iteration code. See bcache_btree_root() from bcache.h,
347 #define bcache_btree_root(fn, c, op, ...) \
348 ({ \
349 int _r = -EINTR;\
350 do {\
351 struct btree *_b = (c)->root;\
352 bool _w = insert_lock(op, _b); \
353 rw_lock(_w, _b, _b->level); \
354 if (_b == (c)->root && \
355 _w == insert_lock(op, _b)) { \
356 _r = bch_btree_ ## fn(_b, op, ##__VA_ARGS__); \
357 } \
358 rw_unlock(_w, _b); \
359 bch_cannibalize_unlock(c); \
360 if (_r == -EINTR) \
361 \
362 } while (_r == -EINTR); \
363 \
364 finish_wait(&(c)->btree_cache_wait, &(op)->wait); \
365 _r; \
366 })
cached_dev_cache_miss() is called by the following code path,
cache_lookup() ==> bch_btree_map_keys() ==> bcache_btree_root() ==>
bch_btree_map_keys_recurse() ==> cache_lookup_fn()
Therefore the return value of cached_dev_cache_miss() will be returned
from where s->d->cache_miss() is called from cache_lookup_fn(). And in
macro bcache_btree_root() this return value will be checked. If the
return value is -EINTR, then the whole iteration will be re-do again.
Returning -ENOMEM works but if the memory allocation failed, there is no
chance to re-do the cache lookup again from bcache_btree_root(). When
system memory is in heavy usage, we want the lookup to try more times
(because GFP_NOIO is set), which is much better then returning -EIO
immediately to caller.
Therefore NOT setting ret to -ENOMEM in the patching location should be
an on-purpose coding, IMHO.
Thanks.
Coly Li
[PATCH] gpu: drm: swsmu: fix error return code of smu_v11_0_set_allowed_mask()
When bitmap_empty() or feature->feature_num triggers an error,
no error return code of smu_v11_0_set_allowed_mask() is assigned.
To fix this bug, ret is assigned with -EINVAL as error return code.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/gpu/drm/amd/pm/swsmu/smu11/smu_v11_0.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu11/smu_v11_0.c
b/drivers/gpu/drm/amd/pm/swsmu/smu11/smu_v11_0.c
index 90585461a56e..82731a932308 100644
--- a/drivers/gpu/drm/amd/pm/swsmu/smu11/smu_v11_0.c
+++ b/drivers/gpu/drm/amd/pm/swsmu/smu11/smu_v11_0.c
@@ -747,8 +747,10 @@ int smu_v11_0_set_allowed_mask(struct smu_context *smu)
int ret = 0;
uint32_t feature_mask[2];
- if (bitmap_empty(feature->allowed, SMU_FEATURE_MAX) ||
feature->feature_num < 64)
+ if (bitmap_empty(feature->allowed, SMU_FEATURE_MAX) ||
feature->feature_num < 64) {
+ ret = -EINVAL;
goto failed;
+ }
bitmap_copy((unsigned long *)feature_mask, feature->allowed, 64);
--
2.17.1
[PATCH] scsi: wd719x: fix error return code of wd719x_pci_probe()
When dma_set_mask() or pci_iomap() fails, no error return code of
wd719x_pci_probe() is assigned.
To fix this bug, err is assigned with -EIO as error return code.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/scsi/wd719x.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/scsi/wd719x.c b/drivers/scsi/wd719x.c
index edc8a139a60d..a334e3c9de45 100644
--- a/drivers/scsi/wd719x.c
+++ b/drivers/scsi/wd719x.c
@@ -902,6 +902,7 @@ static int wd719x_pci_probe(struct pci_dev *pdev, const
struct pci_device_id *d)
if (err)
goto fail;
+ err = -EIO;
if (dma_set_mask(>dev, DMA_BIT_MASK(32))) {
dev_warn(>dev, "Unable to set 32-bit DMA mask\n");
goto disable_device;
@@ -922,6 +923,7 @@ static int wd719x_pci_probe(struct pci_dev *pdev, const
struct pci_device_id *d)
goto release_region;
wd = shost_priv(sh);
+ err = -EIO;
wd->base = pci_iomap(pdev, 0, 0);
if (!wd->base)
goto free_host;
--
2.17.1
[PATCH] marvell: libertas_tf: fix error return code of if_usb_prog_firmware()
When check_fwfile_format() fails, no error return code of
if_usb_prog_firmware() is assigned.
To fix this bug, ret is assigned with -EINVAL as error return code.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/net/wireless/marvell/libertas_tf/if_usb.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/marvell/libertas_tf/if_usb.c
b/drivers/net/wireless/marvell/libertas_tf/if_usb.c
index a92916dc81a9..ceca22da5a29 100644
--- a/drivers/net/wireless/marvell/libertas_tf/if_usb.c
+++ b/drivers/net/wireless/marvell/libertas_tf/if_usb.c
@@ -825,8 +825,10 @@ static int if_usb_prog_firmware(struct lbtf_private *priv)
}
kernel_param_unlock(THIS_MODULE);
- if (check_fwfile_format(cardp->fw->data, cardp->fw->size))
+ if (check_fwfile_format(cardp->fw->data, cardp->fw->size)) {
+ ret = -EINVAL;
goto release_fw;
+ }
restart:
if (if_usb_submit_rx_urb_fwload(cardp) < 0) {
--
2.17.1
[PATCH] media: i2c: imx274: fix error return code of imx274_s_frame_interval()
When __v4l2_ctrl_modify_range() fails, no error return code of
imx274_s_frame_interval() is assigned.
To fix this bug, ret is assigned with the return valye of
__v4l2_ctrl_modify_range(), and then ret is checked.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/media/i2c/imx274.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/media/i2c/imx274.c b/drivers/media/i2c/imx274.c
index 54642d5f2d5b..04f516cb6b07 100644
--- a/drivers/media/i2c/imx274.c
+++ b/drivers/media/i2c/imx274.c
@@ -1380,7 +1380,8 @@ static int imx274_s_frame_interval(struct v4l2_subdev *sd,
max = fi->interval.numerator * 100
/ fi->interval.denominator;
def = max;
- if (__v4l2_ctrl_modify_range(ctrl, min, max, 1, def)) {
+ ret = __v4l2_ctrl_modify_range(ctrl, min, max, 1, def);
+ if (ret) {
dev_err(>client->dev,
"Exposure ctrl range update failed\n");
goto unlock;
--
2.17.1
[PATCH] net: intel: iavf: fix error return code of iavf_init_get_resources()
When iavf_process_config() fails, no error return code of iavf_init_get_resources() is assigned. To fix this bug, err is assigned with the return value of iavf_process_config(), and then err is checked. Reported-by: TOTE Robot Signed-off-by: Jia-Ju Bai --- drivers/net/ethernet/intel/iavf/iavf_main.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c index 0a867d64d467..dc5b3c06d1e0 100644 --- a/drivers/net/ethernet/intel/iavf/iavf_main.c +++ b/drivers/net/ethernet/intel/iavf/iavf_main.c @@ -1776,7 +1776,8 @@ static int iavf_init_get_resources(struct iavf_adapter *adapter) goto err_alloc; } - if (iavf_process_config(adapter)) + err = iavf_process_config(adapter); + if (err) goto err_alloc; adapter->current_op = VIRTCHNL_OP_UNKNOWN; -- 2.17.1
[PATCH] md: bcache: fix error return code of cached_dev_cache_miss()
When bch_bio_alloc_pages() fails, no error return code of
cached_dev_cache_miss() is assigned.
To fix this bug, ret is assigned with -ENOMEN as error return code.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/md/bcache/request.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/md/bcache/request.c b/drivers/md/bcache/request.c
index 29c231758293..9ecaf26c8d60 100644
--- a/drivers/md/bcache/request.c
+++ b/drivers/md/bcache/request.c
@@ -930,8 +930,10 @@ static int cached_dev_cache_miss(struct btree *b, struct
search *s,
cache_bio->bi_private = >cl;
bch_bio_map(cache_bio, NULL);
- if (bch_bio_alloc_pages(cache_bio, __GFP_NOWARN|GFP_NOIO))
+ if (bch_bio_alloc_pages(cache_bio, __GFP_NOWARN|GFP_NOIO)) {
+ ret = -ENOMEM;
goto out_put;
+ }
if (reada)
bch_mark_cache_readahead(s->iop.c, s->d);
--
2.17.1
[BUG] memstick: core: missing error return code in msb_resume()
My static analysis tool reports that no error return code is assigned in error handling code of msb_resume(). However, many other drivers assign error return code in xxx_resume(), such as sky2_resume() and e1000_resume(). I wonder whether this is intentional? Best wishes, Jia-Ju Bai
[PATCH] memstick: core: fix error return code of mspro_block_resume()
When mspro_block_init_card() fails, no error return code of mspro_block_resume() is assigned. To fix this bug, rc is assigned with the return value of mspro_block_init_card(), and then rc is checked. Reported-by: TOTE Robot Signed-off-by: Jia-Ju Bai --- drivers/memstick/core/mspro_block.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/memstick/core/mspro_block.c b/drivers/memstick/core/mspro_block.c index afb892e7ffc6..cf7fe0d58ee7 100644 --- a/drivers/memstick/core/mspro_block.c +++ b/drivers/memstick/core/mspro_block.c @@ -1382,7 +1382,8 @@ static int mspro_block_resume(struct memstick_dev *card) new_msb->card = card; memstick_set_drvdata(card, new_msb); - if (mspro_block_init_card(card)) + rc = mspro_block_init_card(card); + if (rc) goto out_free; for (cnt = 0; new_msb->attr_group.attrs[cnt] -- 2.17.1
[PATCH] net: tehuti: fix error return code in bdx_probe()
When bdx_read_mac() fails, no error return code of bdx_probe()
is assigned.
To fix this bug, err is assigned with -EFAULT as error return code.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/net/ethernet/tehuti/tehuti.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/ethernet/tehuti/tehuti.c
b/drivers/net/ethernet/tehuti/tehuti.c
index b8f4f419173f..d054c6e83b1c 100644
--- a/drivers/net/ethernet/tehuti/tehuti.c
+++ b/drivers/net/ethernet/tehuti/tehuti.c
@@ -2044,6 +2044,7 @@ bdx_probe(struct pci_dev *pdev, const struct
pci_device_id *ent)
/*bdx_hw_reset(priv); */
if (bdx_read_mac(priv)) {
pr_err("load MAC address failed\n");
+ err = -EFAULT;
goto err_out_iomap;
}
SET_NETDEV_DEV(ndev, >dev);
--
2.17.1
[PATCH] crypto: allwinner: sun8i-ce: fix error return code in sun8i_ce_prng_generate()
When dma_mapping_error() returns an error, no error return code of
sun8i_ce_prng_generate() is assigned.
To fix this bug, err is assigned with -EFAULT as error return code.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/crypto/allwinner/sun8i-ce/sun8i-ce-prng.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-prng.c
b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-prng.c
index cfde9ee4356b..cd1baee424a1 100644
--- a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-prng.c
+++ b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-prng.c
@@ -99,6 +99,7 @@ int sun8i_ce_prng_generate(struct crypto_rng *tfm, const u8
*src,
dma_iv = dma_map_single(ce->dev, ctx->seed, ctx->slen, DMA_TO_DEVICE);
if (dma_mapping_error(ce->dev, dma_iv)) {
dev_err(ce->dev, "Cannot DMA MAP IV\n");
+ err = -EFAULT;
goto err_iv;
}
--
2.17.1
[PATCH] net: mellanox: mlx5: fix error return code in mlx5_fpga_device_start()
When mlx5_is_fpga_lookaside() returns a non-zero value, no error
return code is assigned.
To fix this bug, err is assigned with -EINVAL as error return code.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/net/ethernet/mellanox/mlx5/core/fpga/core.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fpga/core.c
b/drivers/net/ethernet/mellanox/mlx5/core/fpga/core.c
index 2ce4241459ce..c9e6da97126f 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/fpga/core.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/fpga/core.c
@@ -198,8 +198,10 @@ int mlx5_fpga_device_start(struct mlx5_core_dev *mdev)
mlx5_fpga_info(fdev, "FPGA card %s:%u\n", mlx5_fpga_name(fpga_id),
fpga_id);
/* No QPs if FPGA does not participate in net processing */
- if (mlx5_is_fpga_lookaside(fpga_id))
+ if (mlx5_is_fpga_lookaside(fpga_id)) {
+ err = -EINVAL;
goto out;
+ }
mlx5_fpga_info(fdev, "%s(%d): image, version %u; SBU %06x:%04x version
%d\n",
mlx5_fpga_image_name(fdev->last_oper_image),
--
2.17.1
[PATCH] staging: media: omap4iss: fix error return code in iss_probe()
When omap4iss_get() returns NULL, no error return code is assigned.
To fix this bug, ret is assigned with -EINVAL as error return code.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/staging/media/omap4iss/iss.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/media/omap4iss/iss.c
b/drivers/staging/media/omap4iss/iss.c
index dae9073e7d3c..085397045b36 100644
--- a/drivers/staging/media/omap4iss/iss.c
+++ b/drivers/staging/media/omap4iss/iss.c
@@ -1236,8 +1236,10 @@ static int iss_probe(struct platform_device *pdev)
if (ret < 0)
goto error;
- if (!omap4iss_get(iss))
+ if (!omap4iss_get(iss)) {
+ ret = -EINVAL;
goto error;
+ }
ret = iss_reset(iss);
if (ret < 0)
--
2.17.1
[PATCH] hid: hid-alps: fix error return code in alps_input_configured()
When input_register_device() fails, no error return code is assigned.
To fix this bug, ret is assigned with -ENOENT as error return code.
Reported-by: TOTE Robot
Signed-off-by: Jia-Ju Bai
---
drivers/hid/hid-alps.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/hid/hid-alps.c b/drivers/hid/hid-alps.c
index 3feaece13ade..6b665931147d 100644
--- a/drivers/hid/hid-alps.c
+++ b/drivers/hid/hid-alps.c
@@ -761,6 +761,7 @@ static int alps_input_configured(struct hid_device *hdev,
struct hid_input *hi)
if (input_register_device(data->input2)) {
input_free_device(input2);
+ ret = -ENOENT;
goto exit;
}
}
--
2.17.1
Re: [PATCH v2 1/4] rtlwifi: rtl8188ee: avoid accessing the data mapped to streaming DMA
Thanks for the advice. I have added the description of the changes and resent the patches. Best wishes, Jia-Ju Bai On 2020/11/19 1:20, Larry Finger wrote: On 11/17/20 7:53 PM, Jia-Ju Bai wrote: In rtl88ee_tx_fill_cmddesc(), skb->data is mapped to streaming DMA on line 677: dma_addr_t mapping = dma_map_single(..., skb->data, ...); On line 680, skb->data is assigned to hdr after cast: struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)(skb->data); Then hdr->frame_control is accessed on line 681: __le16 fc = hdr->frame_control; This DMA access may cause data inconsistency between CPU and hardwre. To fix this bug, hdr->frame_control is accessed before the DMA mapping. Signed-off-by: Jia-Ju Bai --- drivers/net/wireless/realtek/rtlwifi/rtl8188ee/trx.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) What changed between v1 and v2? As outlined in Documentation/process/submitting-patches.rst, you should add a '---' marker and descrive what was changed. I usually summarize the changes, but it is also possible to provide a diffstat of the changes as the above file shows.
[PATCH v2 4/4 resend] rtlwifi: rtl8723ae: avoid accessing the data mapped to streaming DMA
In rtl8723e_tx_fill_cmddesc(), skb->data is mapped to streaming DMA on
line 531:
dma_addr_t mapping = dma_map_single(..., skb->data, ...);
On line 534, skb->data is assigned to hdr after cast:
struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)(skb->data);
Then hdr->frame_control is accessed on line 535:
__le16 fc = hdr->frame_control;
This DMA access may cause data inconsistency between CPU and hardwre.
To fix this bug, hdr->frame_control is accessed before the DMA mapping.
Signed-off-by: Jia-Ju Bai
---
v2:
* Use "rtlwifi" as subject prefix and have all rtlwifi patches in the
same pathset.
Thank Ping and Larry for good advice.
---
drivers/net/wireless/realtek/rtlwifi/rtl8723ae/trx.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/trx.c
b/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/trx.c
index e3ee91b7ea8d..340b3d68a54e 100644
--- a/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/trx.c
+++ b/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/trx.c
@@ -528,12 +528,12 @@ void rtl8723e_tx_fill_cmddesc(struct ieee80211_hw *hw,
u8 fw_queue = QSLT_BEACON;
__le32 *pdesc = (__le32 *)pdesc8;
- dma_addr_t mapping = dma_map_single(>pdev->dev, skb->data,
- skb->len, DMA_TO_DEVICE);
-
struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)(skb->data);
__le16 fc = hdr->frame_control;
+ dma_addr_t mapping = dma_map_single(>pdev->dev, skb->data,
+ skb->len, DMA_TO_DEVICE);
+
if (dma_mapping_error(>pdev->dev, mapping)) {
rtl_dbg(rtlpriv, COMP_SEND, DBG_TRACE,
"DMA mapping error\n");
--
2.17.1
[PATCH v2 2/4 resend] rtlwifi: rtl8192ce: avoid accessing the data mapped to streaming DMA
In rtl92ce_tx_fill_cmddesc(), skb->data is mapped to streaming DMA on
line 530:
dma_addr_t mapping = dma_map_single(..., skb->data, ...);
On line 533, skb->data is assigned to hdr after cast:
struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)(skb->data);
Then hdr->frame_control is accessed on line 534:
__le16 fc = hdr->frame_control;
This DMA access may cause data inconsistency between CPU and hardwre.
To fix this bug, hdr->frame_control is accessed before the DMA mapping.
Signed-off-by: Jia-Ju Bai
---
v2:
* Use "rtlwifi" as subject prefix and have all rtlwifi patches in the
same pathset.
Thank Ping and Larry for good advice.
---
drivers/net/wireless/realtek/rtlwifi/rtl8192ce/trx.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/trx.c
b/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/trx.c
index c0635309a92d..4165175cf5c0 100644
--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/trx.c
+++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/trx.c
@@ -527,12 +527,12 @@ void rtl92ce_tx_fill_cmddesc(struct ieee80211_hw *hw,
u8 fw_queue = QSLT_BEACON;
__le32 *pdesc = (__le32 *)pdesc8;
- dma_addr_t mapping = dma_map_single(>pdev->dev, skb->data,
- skb->len, DMA_TO_DEVICE);
-
struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)(skb->data);
__le16 fc = hdr->frame_control;
+ dma_addr_t mapping = dma_map_single(>pdev->dev, skb->data,
+ skb->len, DMA_TO_DEVICE);
+
if (dma_mapping_error(>pdev->dev, mapping)) {
rtl_dbg(rtlpriv, COMP_SEND, DBG_TRACE,
"DMA mapping error\n");
--
2.17.1
[PATCH v2 3/4 resend] rtlwifi: rtl8192de: avoid accessing the data mapped to streaming DMA
In rtl92de_tx_fill_cmddesc(), skb->data is mapped to streaming DMA on
line 667:
dma_addr_t mapping = dma_map_single(..., skb->data, ...);
On line 669, skb->data is assigned to hdr after cast:
struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)(skb->data);
Then hdr->frame_control is accessed on line 670:
__le16 fc = hdr->frame_control;
This DMA access may cause data inconsistency between CPU and hardwre.
To fix this bug, hdr->frame_control is accessed before the DMA mapping.
Signed-off-by: Jia-Ju Bai
---
v2:
* Use "rtlwifi" as subject prefix and have all rtlwifi patches in the
same pathset.
Thank Ping and Larry for good advice.
---
drivers/net/wireless/realtek/rtlwifi/rtl8192de/trx.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192de/trx.c
b/drivers/net/wireless/realtek/rtlwifi/rtl8192de/trx.c
index 8944712274b5..c02813fba934 100644
--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192de/trx.c
+++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192de/trx.c
@@ -664,12 +664,14 @@ void rtl92de_tx_fill_cmddesc(struct ieee80211_hw *hw,
struct rtl_ps_ctl *ppsc = rtl_psc(rtlpriv);
struct rtl_hal *rtlhal = rtl_hal(rtlpriv);
u8 fw_queue = QSLT_BEACON;
- dma_addr_t mapping = dma_map_single(>pdev->dev, skb->data,
- skb->len, DMA_TO_DEVICE);
+
struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)(skb->data);
__le16 fc = hdr->frame_control;
__le32 *pdesc = (__le32 *)pdesc8;
+ dma_addr_t mapping = dma_map_single(>pdev->dev, skb->data,
+ skb->len, DMA_TO_DEVICE);
+
if (dma_mapping_error(>pdev->dev, mapping)) {
rtl_dbg(rtlpriv, COMP_SEND, DBG_TRACE,
"DMA mapping error\n");
--
2.17.1
[PATCH v2 1/4 resend] rtlwifi: rtl8188ee: avoid accessing the data mapped to streaming DMA
In rtl88ee_tx_fill_cmddesc(), skb->data is mapped to streaming DMA on
line 677:
dma_addr_t mapping = dma_map_single(..., skb->data, ...);
On line 680, skb->data is assigned to hdr after cast:
struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)(skb->data);
Then hdr->frame_control is accessed on line 681:
__le16 fc = hdr->frame_control;
This DMA access may cause data inconsistency between CPU and hardwre.
To fix this bug, hdr->frame_control is accessed before the DMA mapping.
Signed-off-by: Jia-Ju Bai
---
v2:
* Use "rtlwifi" as subject prefix and have all rtlwifi patches in the
same pathset.
Thank Ping and Larry for good advice.
---
drivers/net/wireless/realtek/rtlwifi/rtl8188ee/trx.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/trx.c
b/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/trx.c
index b9775eec4c54..c948dafa0c80 100644
--- a/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/trx.c
+++ b/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/trx.c
@@ -674,12 +674,12 @@ void rtl88ee_tx_fill_cmddesc(struct ieee80211_hw *hw,
u8 fw_queue = QSLT_BEACON;
__le32 *pdesc = (__le32 *)pdesc8;
- dma_addr_t mapping = dma_map_single(>pdev->dev, skb->data,
- skb->len, DMA_TO_DEVICE);
-
struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)(skb->data);
__le16 fc = hdr->frame_control;
+ dma_addr_t mapping = dma_map_single(>pdev->dev, skb->data,
+ skb->len, DMA_TO_DEVICE);
+
if (dma_mapping_error(>pdev->dev, mapping)) {
rtl_dbg(rtlpriv, COMP_SEND, DBG_TRACE,
"DMA mapping error\n");
--
2.17.1
[PATCH v2 4/4] rtlwifi: rtl8723ae: avoid accessing the data mapped to streaming DMA
In rtl8723e_tx_fill_cmddesc(), skb->data is mapped to streaming DMA on
line 531:
dma_addr_t mapping = dma_map_single(..., skb->data, ...);
On line 534, skb->data is assigned to hdr after cast:
struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)(skb->data);
Then hdr->frame_control is accessed on line 535:
__le16 fc = hdr->frame_control;
This DMA access may cause data inconsistency between CPU and hardwre.
To fix this bug, hdr->frame_control is accessed before the DMA mapping.
Signed-off-by: Jia-Ju Bai
---
drivers/net/wireless/realtek/rtlwifi/rtl8723ae/trx.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/trx.c
b/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/trx.c
index e3ee91b7ea8d..340b3d68a54e 100644
--- a/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/trx.c
+++ b/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/trx.c
@@ -528,12 +528,12 @@ void rtl8723e_tx_fill_cmddesc(struct ieee80211_hw *hw,
u8 fw_queue = QSLT_BEACON;
__le32 *pdesc = (__le32 *)pdesc8;
- dma_addr_t mapping = dma_map_single(>pdev->dev, skb->data,
- skb->len, DMA_TO_DEVICE);
-
struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)(skb->data);
__le16 fc = hdr->frame_control;
+ dma_addr_t mapping = dma_map_single(>pdev->dev, skb->data,
+ skb->len, DMA_TO_DEVICE);
+
if (dma_mapping_error(>pdev->dev, mapping)) {
rtl_dbg(rtlpriv, COMP_SEND, DBG_TRACE,
"DMA mapping error\n");
--
2.17.1
Re: [PATCH] rtl8192ce: avoid accessing the data mapped to streaming DMA
On 2020/11/7 19:44, Kalle Valo wrote: Jia-Ju Bai wrote: In rtl92ce_tx_fill_cmddesc(), skb->data is mapped to streaming DMA on line 530: dma_addr_t mapping = dma_map_single(..., skb->data, ...); On line 533, skb->data is assigned to hdr after cast: struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)(skb->data); Then hdr->frame_control is accessed on line 534: __le16 fc = hdr->frame_control; This DMA access may cause data inconsistency between CPU and hardwre. To fix this bug, hdr->frame_control is accessed before the DMA mapping. Signed-off-by: Jia-Ju Bai Like Ping said, use "rtlwifi:" prefix and have all rtlwifi patches in the same patchset. 4 patches set to Changes Requested. 11843533 rtl8192ce: avoid accessing the data mapped to streaming DMA 11843541 rtl8192de: avoid accessing the data mapped to streaming DMA 11843553 rtl8723ae: avoid accessing the data mapped to streaming DMA 11843557 rtl8188ee: avoid accessing the data mapped to streaming DMA Okay, I have sent v2 patches just now. Please have a look, thank :) Best wishes, Jia-Ju Bai
[PATCH v2 1/4] rtlwifi: rtl8188ee: avoid accessing the data mapped to streaming DMA
In rtl88ee_tx_fill_cmddesc(), skb->data is mapped to streaming DMA on
line 677:
dma_addr_t mapping = dma_map_single(..., skb->data, ...);
On line 680, skb->data is assigned to hdr after cast:
struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)(skb->data);
Then hdr->frame_control is accessed on line 681:
__le16 fc = hdr->frame_control;
This DMA access may cause data inconsistency between CPU and hardwre.
To fix this bug, hdr->frame_control is accessed before the DMA mapping.
Signed-off-by: Jia-Ju Bai
---
drivers/net/wireless/realtek/rtlwifi/rtl8188ee/trx.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/trx.c
b/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/trx.c
index b9775eec4c54..c948dafa0c80 100644
--- a/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/trx.c
+++ b/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/trx.c
@@ -674,12 +674,12 @@ void rtl88ee_tx_fill_cmddesc(struct ieee80211_hw *hw,
u8 fw_queue = QSLT_BEACON;
__le32 *pdesc = (__le32 *)pdesc8;
- dma_addr_t mapping = dma_map_single(>pdev->dev, skb->data,
- skb->len, DMA_TO_DEVICE);
-
struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)(skb->data);
__le16 fc = hdr->frame_control;
+ dma_addr_t mapping = dma_map_single(>pdev->dev, skb->data,
+ skb->len, DMA_TO_DEVICE);
+
if (dma_mapping_error(>pdev->dev, mapping)) {
rtl_dbg(rtlpriv, COMP_SEND, DBG_TRACE,
"DMA mapping error\n");
--
2.17.1
[PATCH v2 3/4] rtlwifi: rtl8192de: avoid accessing the data mapped to streaming DMA
In rtl92de_tx_fill_cmddesc(), skb->data is mapped to streaming DMA on
line 667:
dma_addr_t mapping = dma_map_single(..., skb->data, ...);
On line 669, skb->data is assigned to hdr after cast:
struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)(skb->data);
Then hdr->frame_control is accessed on line 670:
__le16 fc = hdr->frame_control;
This DMA access may cause data inconsistency between CPU and hardwre.
To fix this bug, hdr->frame_control is accessed before the DMA mapping.
Signed-off-by: Jia-Ju Bai
---
drivers/net/wireless/realtek/rtlwifi/rtl8192de/trx.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192de/trx.c
b/drivers/net/wireless/realtek/rtlwifi/rtl8192de/trx.c
index 8944712274b5..c02813fba934 100644
--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192de/trx.c
+++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192de/trx.c
@@ -664,12 +664,14 @@ void rtl92de_tx_fill_cmddesc(struct ieee80211_hw *hw,
struct rtl_ps_ctl *ppsc = rtl_psc(rtlpriv);
struct rtl_hal *rtlhal = rtl_hal(rtlpriv);
u8 fw_queue = QSLT_BEACON;
- dma_addr_t mapping = dma_map_single(>pdev->dev, skb->data,
- skb->len, DMA_TO_DEVICE);
+
struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)(skb->data);
__le16 fc = hdr->frame_control;
__le32 *pdesc = (__le32 *)pdesc8;
+ dma_addr_t mapping = dma_map_single(>pdev->dev, skb->data,
+ skb->len, DMA_TO_DEVICE);
+
if (dma_mapping_error(>pdev->dev, mapping)) {
rtl_dbg(rtlpriv, COMP_SEND, DBG_TRACE,
"DMA mapping error\n");
--
2.17.1
[PATCH v2 2/4] rtlwifi: rtl8192ce: avoid accessing the data mapped to streaming DMA
In rtl92ce_tx_fill_cmddesc(), skb->data is mapped to streaming DMA on
line 530:
dma_addr_t mapping = dma_map_single(..., skb->data, ...);
On line 533, skb->data is assigned to hdr after cast:
struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)(skb->data);
Then hdr->frame_control is accessed on line 534:
__le16 fc = hdr->frame_control;
This DMA access may cause data inconsistency between CPU and hardwre.
To fix this bug, hdr->frame_control is accessed before the DMA mapping.
Signed-off-by: Jia-Ju Bai
---
drivers/net/wireless/realtek/rtlwifi/rtl8192ce/trx.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/trx.c
b/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/trx.c
index c0635309a92d..4165175cf5c0 100644
--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/trx.c
+++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192ce/trx.c
@@ -527,12 +527,12 @@ void rtl92ce_tx_fill_cmddesc(struct ieee80211_hw *hw,
u8 fw_queue = QSLT_BEACON;
__le32 *pdesc = (__le32 *)pdesc8;
- dma_addr_t mapping = dma_map_single(>pdev->dev, skb->data,
- skb->len, DMA_TO_DEVICE);
-
struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)(skb->data);
__le16 fc = hdr->frame_control;
+ dma_addr_t mapping = dma_map_single(>pdev->dev, skb->data,
+ skb->len, DMA_TO_DEVICE);
+
if (dma_mapping_error(>pdev->dev, mapping)) {
rtl_dbg(rtlpriv, COMP_SEND, DBG_TRACE,
"DMA mapping error\n");
--
2.17.1
[PATCH] rtl8188ee: avoid accessing the data mapped to streaming DMA
In rtl88ee_tx_fill_cmddesc(), skb->data is mapped to streaming DMA on
line 677:
dma_addr_t mapping = dma_map_single(..., skb->data, ...);
On line 680, skb->data is assigned to hdr after cast:
struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)(skb->data);
Then hdr->frame_control is accessed on line 681:
__le16 fc = hdr->frame_control;
This DMA access may cause data inconsistency between CPU and hardwre.
To fix this bug, hdr->frame_control is accessed before the DMA mapping.
Signed-off-by: Jia-Ju Bai
---
drivers/net/wireless/realtek/rtlwifi/rtl8188ee/trx.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/trx.c
b/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/trx.c
index b9775eec4c54..c948dafa0c80 100644
--- a/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/trx.c
+++ b/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/trx.c
@@ -674,12 +674,12 @@ void rtl88ee_tx_fill_cmddesc(struct ieee80211_hw *hw,
u8 fw_queue = QSLT_BEACON;
__le32 *pdesc = (__le32 *)pdesc8;
- dma_addr_t mapping = dma_map_single(>pdev->dev, skb->data,
- skb->len, DMA_TO_DEVICE);
-
struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)(skb->data);
__le16 fc = hdr->frame_control;
+ dma_addr_t mapping = dma_map_single(>pdev->dev, skb->data,
+ skb->len, DMA_TO_DEVICE);
+
if (dma_mapping_error(>pdev->dev, mapping)) {
rtl_dbg(rtlpriv, COMP_SEND, DBG_TRACE,
"DMA mapping error\n");
--
2.17.1
[PATCH] rtl8723ae: avoid accessing the data mapped to streaming DMA
In rtl8723e_tx_fill_cmddesc(), skb->data is mapped to streaming DMA on
line 531:
dma_addr_t mapping = dma_map_single(..., skb->data, ...);
On line 534, skb->data is assigned to hdr after cast:
struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)(skb->data);
Then hdr->frame_control is accessed on line 535:
__le16 fc = hdr->frame_control;
This DMA access may cause data inconsistency between CPU and hardwre.
To fix this bug, hdr->frame_control is accessed before the DMA mapping.
Signed-off-by: Jia-Ju Bai
---
drivers/net/wireless/realtek/rtlwifi/rtl8723ae/trx.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/trx.c
b/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/trx.c
index e3ee91b7ea8d..340b3d68a54e 100644
--- a/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/trx.c
+++ b/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/trx.c
@@ -528,12 +528,12 @@ void rtl8723e_tx_fill_cmddesc(struct ieee80211_hw *hw,
u8 fw_queue = QSLT_BEACON;
__le32 *pdesc = (__le32 *)pdesc8;
- dma_addr_t mapping = dma_map_single(>pdev->dev, skb->data,
- skb->len, DMA_TO_DEVICE);
-
struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)(skb->data);
__le16 fc = hdr->frame_control;
+ dma_addr_t mapping = dma_map_single(>pdev->dev, skb->data,
+ skb->len, DMA_TO_DEVICE);
+
if (dma_mapping_error(>pdev->dev, mapping)) {
rtl_dbg(rtlpriv, COMP_SEND, DBG_TRACE,
"DMA mapping error\n");
--
2.17.1
[PATCH] rtl8192de: avoid accessing the data mapped to streaming DMA
In rtl92de_tx_fill_cmddesc(), skb->data is mapped to streaming DMA on
line 667:
dma_addr_t mapping = dma_map_single(..., skb->data, ...);
On line 669, skb->data is assigned to hdr after cast:
struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)(skb->data);
Then hdr->frame_control is accessed on line 670:
__le16 fc = hdr->frame_control;
This DMA access may cause data inconsistency between CPU and hardwre.
To fix this bug, hdr->frame_control is accessed before the DMA mapping.
Signed-off-by: Jia-Ju Bai
---
drivers/net/wireless/realtek/rtlwifi/rtl8192de/trx.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192de/trx.c
b/drivers/net/wireless/realtek/rtlwifi/rtl8192de/trx.c
index 8944712274b5..c02813fba934 100644
--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192de/trx.c
+++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192de/trx.c
@@ -664,12 +664,14 @@ void rtl92de_tx_fill_cmddesc(struct ieee80211_hw *hw,
struct rtl_ps_ctl *ppsc = rtl_psc(rtlpriv);
struct rtl_hal *rtlhal = rtl_hal(rtlpriv);
u8 fw_queue = QSLT_BEACON;
- dma_addr_t mapping = dma_map_single(>pdev->dev, skb->data,
- skb->len, DMA_TO_DEVICE);
+
struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)(skb->data);
__le16 fc = hdr->frame_control;
__le32 *pdesc = (__le32 *)pdesc8;
+ dma_addr_t mapping = dma_map_single(>pdev->dev, skb->data,
+ skb->len, DMA_TO_DEVICE);
+
if (dma_mapping_error(>pdev->dev, mapping)) {
rtl_dbg(rtlpriv, COMP_SEND, DBG_TRACE,
"DMA mapping error\n");
--
2.17.1
